1

I am working on a PHP site. I have set timeout for the user session to expire which is working fine. But the user session is not getting destroyed after machine reboot which I think is a security issue.

I run the site on a Debian guest VM, nd my host machine is Ubuntu. I have researched enough about the issue only to learn that sessions cannot get destroyed until it times out or the user logs out. What am I missing here?

I tested with Chrome and Firefox.

Will
  • 24,082
  • 14
  • 97
  • 108
user2402244
  • 11
  • 3
  • To clarify: You're rebooting the machine, but not logging out the user or waiting for the session to time out. Correct? – jkdev Jan 20 '16 at 05:58
  • exactly. that is my case. Is this a browser issue or am i missing something in php.ini? – user2402244 Jan 20 '16 at 06:02

2 Answers2

2

if you use:

session_set_cookie_params(0);
session_start();

Your session cookie will destroy when the browser is closed... so your session will be good until they close the browser. IE. You login, and you are logged in, you close the browser, re-open it, go to the site again, and you wont be logged in.

Chetan Naik
  • 151
  • 13
  • but the problem is when i leave the site running on the browser and reboots the guest. the sessions are not getting destroyed. – user2402244 Jan 20 '16 at 05:56
  • refer http://stackoverflow.com/questions/24402047/php-session-destroy-after-closing-browser https://www.sitepoint.com/community/t/php-session-does-not-expire-on-closing-browser/6831/2 – Chetan Naik Jan 20 '16 at 06:07
1

Why do you expect rebooting the machine to clear sessions, and how is this a security issue? If you want to clear sessions when the machine boots, just add:

rm -f /tmp/sess_*

To your /etc/rc.local. Replace /tmp/sess_* with wherever you've configured session.save_path in php.ini.

Will
  • 24,082
  • 14
  • 97
  • 108