Hi there,

I recently discovered a hole in my and a lot other apps on the net.
There must be a workaround, becaus I also found apps which work fine.

The sittuation is as follows:
After signing in, I am setting a cookie with a unique session id.
Cookie parameter is set to 0. The session expires as soon as the client
closes the browser.
Thats what I thought.

Real live looks like this:
Closing all browser windows makes the session expired, as it should. But!!
Closing the window with the application inside does not expire the session
there is another child of this browser open. For example e-mail services. I
a service where it possible to close your browser window with the app inside
the session is still active. What if the person is in a internet caffee?
Someone else
just takes the other open window of the browser and hits on the history the
browsed sites and here he goes!

My question is:
Is there a way to close this hole and let the session expire as soon as only
the active window
is closed?

Thanx you for any help,


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to