1

I want to logout user if browser is closed and force it to login again on turning the browser on. 

if (!(isset($_SESSION['admin']))) {
    header ('Location: login.php');
}

This doesn't work - because turning off the browser does not mean drop the sessions on server - if I understand well a lot of posts on SO and outside.

Using javascript to delete sessions just before closing the browser often doesn't work because browser will not wait to execute any code if user clicks to close the browser.

Second option is keeping server session alive by sending a js code from client (setInterval - ajax).

Problem here is scenario with multiple pages open on different tabs/windows, i.e. interference between multiple setInterval functions.

I also tried this: 

session_set_cookie_params(0);
session_start();

This also doesn't work - after turning off/on the browser index.php is open without redirecting to login.php.

The reason is maybe browser option to automatically restore previously loaded pages.

So, what to do ?

qadenza
  • 9,025
  • 18
  • 73
  • 126

3 Answers3

1

There are couple options but all end up same way. you can either store something in sessionStorage to check session. when browser is closed session storage will be wiped out. or you can add a hidden input field and assign a value per session. if page is newly loaded and value exists that means session is still active, so you can redirect to logout and show login page in either way. but second option may not be usefull if your app has page reloads. I think sessionStorage would be your answer. set session on sessionStorage on login, if it is empty. then check session storage on page load. if it is empty that means user first time on there, since page reload will keep the value.

serdar.sanri
  • 2,217
  • 1
  • 17
  • 21
  • I don't want to force login on each page reload, but on each browser session. If I missunderstand you - could you give me an link or example, pls. – qadenza Aug 11 '17 at 18:15
  • so this is how some applications break opening new pages in tabs then. They use sessionStorage on the local machine to tell when to delete the session cookie, so when you open a new tab from a link in the application, you get logged out in your original tab. Lol. – developerwjk Aug 11 '17 at 18:19
  • Could that be a possible security issue, because sessionStorage is a javascript stuff, so - chengable by client? – qadenza Aug 11 '17 at 18:21
1

When Google Chrome is configured to re-open all previous tabs, it won't delete your session cookie. See for example this question asked 5 years ago, but stil an issue (just verified, Google didn't change that behaviour). Unfortunately you can't do much about this behaviour (as far as I know). Without deleting that cookie your session still remains open (unless it is deleted server-side during clean-up).

Best solution to handle an automatic logout is to store a 'last activity time' in your session, update it in every request and in your 'is logged in check' verify that the last activity was not more than, say, 15 minutes ago. If it is more than 15 minutes ago, you could send him to the login.php.

To improve this furthermore (and if this is really an issue for you), you can use a setInterval in javascript to send keep-alive AJAX-calls to the server every 30 seconds or so. In that way you can lower the 'last activity time' (either real activity or automated) limit from 15 minutes to 2 or 1 (leave some room for network hickups).

Peter van der Wal
  • 11,141
  • 2
  • 21
  • 29
  • How does the suggestion in paragraph 2 differ from just lowering the session timeout to 15 minutes? – developerwjk Aug 11 '17 at 19:05
  • @developerwjk When you mean changing `session.gc_maxlifetime`, indeed it doesn't differ much. `gc_probability` can be an issue when the sites gets a really low count of visitors and not set accordingly. Also can be a problem when you are using sessions also for other purposes then login (and dont want to change timeout for those). Enforcing it yourself gives you extra control over this, and also gives you the opportunity to give the user a more appropriate "Your session expired, please login again" message. – Peter van der Wal Aug 11 '17 at 19:17
1

@Axalix wrote:

If session relies on cookies, you just need to keep expiry date empty, then when browser / tab is closed this cookie will be removed from a browser automatically. That's a standard browsers behavior. Yes, the server will still keep it, but since browser doesn't have it, user will need to relogin

You responded:

could that be a possible security issue because cookies are javascript stuff - chengable by client?

Yes cookies can be changed by the client but Axalix' answer from the comments is still the best if you intend to use $_SESSION. If you want to end session on browser exit so that a 2nd user doesn't come later and take over the old session, then you must trust the owner of the session with the session cookie.

If you really want to break access as soon as the client leaves, then $_SESSION is not the best tool to track login state. Instead you could use WebSockets. The socket remains open as long as the webpage is open. Once the socket closes, you can invalidate any login state.

This may be more trouble than it's worth though, so think hard about whether it is really that important. As an alternative, you could use SessionStorage, which is destroyed when the browser closes but it's also available to the user (so a user could just copy and save what's in SessionStorage, then recreate it later).

Basically you need to trust the user who provided you the username and password.

BeetleJuice
  • 39,516
  • 19
  • 105
  • 165