0

I know it sounds weird, but i have to time out the session if users changes the url to any other website.

Then I should not allow them to use the same session.

user416
  • 516
  • 3
  • 12
  • 34
  • unset your session before the redirect to the other site – Leo Bali Sep 19 '14 at 16:17
  • In other words to timeout session after user leaves your page? – Gustek Sep 19 '14 at 16:18
  • What happens if I open multiple tabs, should the session be maintained in that instance? If you want to simulate the behaviour you're talking about you could set a very low session time, then use ajax to constantly hit your server, keeping the session alive. Once they leave the site your session timesout because it stops being accessed. But that won't work if you have multiple tabs(because one copy of the site would keep your logged in everywhere). – scragar Sep 19 '14 at 16:19
  • @LeoBali, It should be detected from the client side... For instance, User will close the browser or simply change the url address. I need some help towards this... – user416 Sep 19 '14 at 16:20
  • @scragar, So setting the low session time is the only option.Is there a way to restrict multiple tab access? – user416 Sep 19 '14 at 16:24
  • @user416 You could use javascript to detect the user leaving the page and make a request to tell your system to log out, but that might not always work, and I don't know of any way to know where the users are going if they trigger the onbeforeunload event. I suppose maybe you could add scripts to all your links and forms to capture this and update a flag first or something, but I don't think it'll work very effectively. Have you considered making your site a pop-up without navigation controls? Without a url bar most people won't be able to figure out how to change the URL. – scragar Sep 19 '14 at 16:30
  • @scragar, onbeforeunload is one possible option... – user416 Sep 19 '14 at 16:36
  • Merely curious, why do you want to do this? You'll never be able to stop somebody from browsing to other sites while using yours. It would be trivial for them to open another browser altogether, or even use a different device in the same room. – nhinkle Sep 19 '14 at 16:47
  • @nhinkle, End user has very limited experience with websites. When they change the url to new website, there is a chance for assumption they have logged out.This should not create any breach especially public systems. – user416 Sep 19 '14 at 17:47

1 Answers1

1

You could look at the $_SERVER['HTTP_REFERER'] variable. If it is not from a page in your website then you can destroy the session and start a new one. So the user will have a new session every time they leave / re visit your site.

This would not allow them to use the same session.

David Jones
  • 4,275
  • 6
  • 27
  • 51