What about cookies - someone said if you put no time limit on a cookie it dies when you leave the site - I'm not sure about this, but any help is appreciated.
----- Original Message ----- From: "Justin French" <[EMAIL PROTECTED]> To: "Beauford.2002" <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]> Sent: Friday, March 21, 2003 2:46 AM Subject: Re: [PHP] Sessions question > on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote: > > > I have read some posts to this list on sessions and have read as much as I > > can find on them, but one problem still exists which I can't figure out. How > > do I kill the session when the user leaves my site. So if a user is on > > www.mine.com and logs in successfully, then goes to www.hers.com - the user > > should have to log in again once coming back to www.mine.com, but at present > > the user is still logged in - and all variables are still set. > > How can PHP possibly tell when the user closes a window, or manually enters > a new URL into the browser? > > It can't because PHP is only server side. > > Set the appropriate session max lifetime and garbage clean out probability, > and sessions should die within a reasonable time of not being used (see > php.ini for more info). > > Or, present the user with a logout link, to be sure the session is killed > instantly. > > You can also do some *extra* insurance by creating a javascript pop-up > triggered on a window close event which forces a log out, but this will only > help in some cases, and more to the point, client-side scripting cannot be > relied upon. > > If you want to kill sessions as people click on external links within your > site, you can do so by creating a middle-man script between your page and > the external site: > > Instead of > <a href='http://newsite.com'>click</a> you would do this: > > <a href='out.php?url=<?=urlencode('http://newsite.com')?>'>click</a> > > out.php would be responsible for killing the session before doing a header() > redirect to the target url. > > > But, end of the day, all these are work-arounds. Offer a logout link on > every page of your site. If the user chooses not to logout, then they are > consciously making this decision -- they may want to come back shortly, or > they may not care about the security implications -- either way, it's their > call. > > > Justin > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
