This is a common challenge with a pretty easy solution.

First, in case you are curious why the session can be reestablished,
the bookmarked page likely has the session identifier in the query
string. Thus, it is unnecessary for the browser to send a cookie,
because it is sending the session identifier as a GET variable. This
is what PHP is using to identify the client.

It is a bad idea to depend on the timeout of a cookie or the session
cleanup process to maintain a session timeout mechanism. Instead, you
should keep a timestamp stored as a session variable that you use to
make any time-based decisions for that session. For example:

$_SESSION["last_access"] = gmmktime();

To use this value to enforce a timeout, you would make a check
similar to the following to make sure it hasn't been too long since
the last access:

$seconds_idle = gmmktime() - $_SESSION["last_access"];

If the number of seconds they have been idle is too long for you,
force them to reenter their password or even completely
reauthenticate to continue. If the idle time is acceptable to you,
reset the session variable to the current time.


--- Jean-Christian Imbeault <[EMAIL PROTECTED]> wrote:

> I've made a site in PHP and on some pages a user needs to log
> in first before gaining access to the page. (i.e. there is a
> log in page).
> Once the user has logged in I keep that fact in a session
> variable so that he doesn't need to log in again.
> However I have found out that if:
> 1- the user logs in
> 2- bookmarks the page
> 3- closes the browser
> 4- opens the browser
> 5- goes to the saved bookmark page
> He has access to the page. I.e. the session did not
> close/terminate when  he closed his browser ...
> In Netscape 7 I have checked the stored cookie and it is set
> to expire  at the end of the session (which is the default I
> think), so I don't understand why the PHP thinks the session
> is still opened ...

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to