PHP session control

lhoff · 05-04-2002, 10:28 AM

I need to unregister and destroy a session for a web app I'm developing.

I'm not using cookies (that's a requirement); the session currently persists across multiple PHP documents. But, when the user either (a) leaves the current web directory or (b) closes the browser window, I need to unregister and destroy the session.

I thought about putting this into an onunload event, but that would destroy the session while the user is just moving between pages.

Anybody have any suggestions about how to do this? Thanks!

gene_gEnie · 05-06-2002, 04:41 AM

Hi,
not totally sure about either of these but here goes:

for (b) Wont the session be killed automatically when the user closes the browser window?

for (a) By web directory, do you mean the part after the domain?
i.e. www.linuxquestions.org/questions
or
www.linuxquestions.org/different_dir

with questions or different_dir being the relevant parts.

If so, you could test the HTTP_REFERER against the current URL using some regex. If the dir part is different, kill your session, if not just continue as normal.

????

Sounds easy eh.
Im sure that would work though.

Hope that helps

Martin

lhoff · 05-06-2002, 09:45 AM

Quote:

Originally posted by gene_gEnie

for (b) Wont the session be killed automatically when the user closes the browser window?

No: I can close the browser, launch a new one, scroll down the cached addresses to the URL that has my old session number in it and select it. I'm back in my old session, logged in. That's what I need to prevent.

Quote:

for (a) By web directory, do you mean the part after the domain?
i.e. www.linuxquestions.org/questions
or
www.linuxquestions.org/different_dir

Yep. I'll give the HTTP-REFERER method a try, though I've not used it before.

Thanks!

gene_gEnie · 05-06-2002, 12:25 PM

i had a look round the net for an example on how to trap a closing window and it seems lots of people have had the same problem.

this link will take you to a msg board with a couple of suggestions - none of them trivial i reckon.

http://216.239.51.100/search?q=cache:
Phx8sc62_n8C:p2p.wrox.com/archive/javascript/
2001-09/46.asp+trap+browser+closing+with+javascript&hl=en

One guy said that you cant trap the user closing the window with the X button (top right hand corner etc) so what you have to do is trap everything else that may be a problem, in your case:
a refresh or moving to a different page within the same directory.

Then, set a flag to true, only if it is none of these events was fired.
hmmmm....

Have a look at that msg board, there is some javascript on it that you could maybe adapt, - javascript being the way to accomplish this probably.

hth

Martin

p.s. sorry about messed up URL. I couldnt get LQ to stop parsing it in funny ways. (i.e inserting smileys or newlines or completely ommiting some of it)