12

Where user enters the website, it sent a default language, at the same time it will force the user to select a language from a list...
When user selects a language it sets a $_SESSION['language'] = $_POST['lg'];
At the same time I set another $_SESSION['sestime'] = time();
with this session I can do this:

if(isset($_SESSION['sestime']) && (time() - $_SESSION['sestime'] > 600)) {
session_unset(); session_destroy();
header("Location: $sred");
exit;
}
$_SESSION['sestime'] = time();

With that if there are no activity within 10min it destroy/delete/unset any session, the idea is to ask again for the lanaguage... now, this is "working", but what I'd like is away to "detect" when user is about to close a browser tab, the websites tab... if users close the tab then "destroy/delete/unset" any session for this website...
Is that possible?

Tanker
  • 1,178
  • 3
  • 16
  • 49
  • 3
    You could have a periodic AJAX request with a lower timeout, but then you'll be making your site unusable for people who turn off Javascript or who have disabilities and use alternative technologies to browse the web. There is nothing in the HTTP protocol that lets you know when a user stops viewing your site, so your best bet is a sane timeout. – Ghedipunk Oct 08 '15 at 17:00

3 Answers3

13

Session Cookies are usually sent without an expire time which means they are deleted when the browser is closed, so the session is lost anyway.

1) Destroy or unset session when user close the browser without clicking on logout

You can set an expiration time for the session data, test it with each session_start call and destroy the session if it’s expired:

session_start();
if (!isset($_SESSION['EXPIRES']) || $_SESSION['EXPIRES'] < time()+3600) {
    session_destroy();
    $_SESSION = array();
}
$_SESSION['EXPIRES'] = time() + 3600;

2) destroy session when broswer tab closed

implement a session timeout with own method. Use a simple time stamp that denotes the time of the last request and update it with every request:

You need to code something similar to this

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // request 30 minates ago
    session_destroy();
    session_unset();
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time

3) How to change the session timeout in PHP?

session_start(); // ready to go!

$now = time();
if (isset($_SESSION['discard_after']) && $now > $_SESSION['discard_after']) {
    // this session has worn out its welcome; kill it and start a brand new one
    session_unset();
    session_destroy();
    session_start();
}

// either new or old, it should live at most for another hour
$_SESSION['discard_after'] = $now + 3600;

4) The unload event is sent to the window element when the user navigates away from the page. This could mean one of many things. The user could have clicked on a link to leave the page, or typed in a new URL in the address bar. The forward and back buttons will trigger the event. Closing the browser window will cause the event to be triggered. Even a page reload will first create an unload event.

$( window ).unload(function() {
  //use ajax to call another page to session_destroy();
});

Question is: What if the user has two or more tabs open on your site? If they close one tab, the other one would effectively be logged out.

Community
  • 1
  • 1
Nana Partykar
  • 10,556
  • 10
  • 48
  • 77
  • 2
    You got my +1 for the great explanation with cases. Generally speaking, I'm negatively surprised that contemporary browsers don't have a mechanism for this: when I close the tab of such website, EVERY SESSION must destroy, like if I had closed the browser. I see bad behaviors on this side, e.g. Paypal, in fact, if you close the tab and you open again paypal, you are still logged in, same in google/gmail, on gmail is even worse though, if you don't logout, you are logged in FOREVER EITHER if you don't ask for that. Try on any third computer either after some days. REMEMBER TO LOGOUT!! :-) – Robert Aug 14 '17 at 07:01
0

best way to change value or destroy value of javascript session on tab close

var data=sessionStorage.getItem("data");
var sessiondomain=sessionStorage.getItem("domain");
var domain=window.location.hostname;

if(data == null && sessiondomain == null) {
  sessionStorage.setItem("data", "1");
  sessionStorage.setItem("domain", window.location.hostname);

  $("#dd").show();
}else if(data==1 && sessiondomain==domain){
  $("#dd").show();
}

$(document).ready(function(){
  $("#clickme").click(function(){
     sessionStorage.setItem("data", "0");
     sessionStorage.setItem("domain", "0");

  });
});
helvete
  • 2,455
  • 13
  • 33
  • 37
Mohd Faiyyaj
  • 1
0

use ajax to session auto destroy `

<script>        
window.addEventListener("beforeunload", function () {         
      $.ajax({ 

          type: "POST", 
          url: "logout.php",  
       
      }); 
    }); 
</script>`
User123456
  • 2,492
  • 3
  • 30
  • 44
user19382561
  • 1
  • 1
  • It's a nice idea, but I don't think this works anymore on modern browsers. – IT goldman Jun 24 '22 at 21:43
  • Right, this doesn't work. Browsers don't reliably send asynchronous XHR/fetch requests when a tab is closed. You can use `navigator.sendBeacon()`, which is guaranteed to send, but [the `"beforeunload"`/`"unload"` events are not reliable either](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon#avoid_unload_and_beforeunload). – ZachB Oct 17 '22 at 05:59