473,895 Members | 2,479 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Sessions and closing the browser

Question for the group

The authentication system for the site Im working on seems to function
properly and all is good. A session keeps track of everything and a
cookie is used to accept or deny access... sounds as it should be I hope.
Then when all is done logging out destroys everything and the pages are
no longer accessable. Good so far.

But two things come to mind: one is preventing multiple logins of the
user/password. The solution from what Ive read seems to be using another
variable to check whether or not the user is already logged in (a simple
yes or no). Simple enough. I imagine logging out normally and deleting
all values removes this and then the cookie is deleted. But, what if the
browser is simply closed? If I understand how everything works the cookie
will still be there for a set period until its removed automatically.
What if the user logs in, closes the browser, and tries to log in again?
Is the value saying the login already exists still there? Or am I
thinking I need a solution to a problem that is already transparently
handled?

thx

(note: I sent an email about this earlier today, but I dont see it so Im
sending it again)
Jul 17 '05 #1
22 2904
In article <Xn************ ************@21 6.168.3.44>, Theo wrote:
Question for the group

The authentication system for the site Im working on seems to function
properly and all is good. A session keeps track of everything and a
cookie is used to accept or deny access... sounds as it should be I hope.
Then when all is done logging out destroys everything and the pages are
no longer accessable. Good so far.

But two things come to mind: one is preventing multiple logins of the
user/password. The solution from what Ive read seems to be using another
variable to check whether or not the user is already logged in (a simple
yes or no). Simple enough. I imagine logging out normally and deleting
all values removes this and then the cookie is deleted. But, what if the
browser is simply closed? If I understand how everything works the cookie
will still be there for a set period until its removed automatically.
What if the user logs in, closes the browser, and tries to log in again?
Is the value saying the login already exists still there? Or am I
thinking I need a solution to a problem that is already transparently
handled?


Instead of yes/no store the timestamp. And save that timestamp in the
session.

Everytime a user requests as page, compare the session timestamp with
the timestamp in the database.

If a new login has been done, the timestamp will be different.

--
Tim Van Wassenhove <http://www.timvw.info>
Jul 17 '05 #2
On Fri, 24 Sep 2004 22:45:53 -0000, Theo <in*****@noemai l.com> wrote:
Question for the group

The authentication system for the site Im working on seems to function
properly and all is good. A session keeps track of everything and a
cookie is used to accept or deny access... sounds as it should be I hope.
Then when all is done logging out destroys everything and the pages are
no longer accessable. Good so far.

But two things come to mind: one is preventing multiple logins of the
user/password. The solution from what Ive read seems to be using another
variable to check whether or not the user is already logged in (a simple
yes or no). Simple enough. I imagine logging out normally and deleting
all values removes this and then the cookie is deleted. But, what if the
browser is simply closed? If I understand how everything works the cookie
will still be there for a set period until its removed automatically.
What if the user logs in, closes the browser, and tries to log in again?
Is the value saying the login already exists still there? Or am I
thinking I need a solution to a problem that is already transparently
handled?

thx

(note: I sent an email about this earlier today, but I dont see it so Im
sending it again)

Right.. so are you using _SESSIONs or _COOKIEs? (or both?)

By default, both have "the same" lifespan.. for the duration of the
session. When the user closes the browser, the _SESSION or _COOKIE data
is removed (presuming you're not using cookies and setting a specified
expiration date) thus I believe you're looking for an answer to an
irrelevant question as when the user closes the browser, _all_ session
data will be destroyed, including the 'i_am_logged_in ' value.. whatever
you use to distinguish =)
HTH.

Regards,

Ian

--
Ian.H
digiServ Network
London, UK
http://digiserv.net/
Jul 17 '05 #3
>The authentication system for the site Im working on seems to function
properly and all is good. A session keeps track of everything and a
cookie is used to accept or deny access... sounds as it should be I hope.
Then when all is done logging out destroys everything and the pages are
no longer accessable. Good so far.

But two things come to mind: one is preventing multiple logins of the
user/password.
Why? What problem are you trying to solve here?

If the intent is to prevent the sharing of pay site logins, you're
trading one problem for another (denial of access by the legitimate
user). Of course, the site operator might like this problem, as
it costs less in bandwidth. But he might lose customers and his
site might get a bad reputation.

If the intent is some kind of security for abandoned sessions or
computers left unattended, put a timestamp in the session. Update
the timestamp to the current time on each successful page load (this
part comes after the logged-in check). On each page, the logged-in
check should include checking that the timestamp is not "too old"
(whatever value you decide for that). If it is (or the login is
otherwise invalid, say, the membership expired), destroy the session
and redirect to the login page. This should take care of "abandoned
sessions": any sessions older than the timeout aren't any good any
more and they get destroyed if anyone attempts to use them. You
should also have an occasional cleanup process that deletes old
sessions which nobody attempted to use after they were abandoned
(mostly to reclaim disk space). Oh, yes, DON'T count on browsers
to delete a cookie at the appropriate time. Some desktops have
clocks that, well, suck, and may be years off. Also, sniffed cookies
may be resurrected on another computer somewhere, with a tricked-up
browser that doesn't behave like you expect.

Your definition of "too old" should take into account what users
are doing with the pages: if it takes an average user 15 minutes
to fill in ONE form or compose message text, chances are a timeout
of 20 minutes is too short.

If the intent is some kind of assumption that if there are duplicate
logins, one MUST be an unauthorized cracker or will screw up your
application, well, that assumption is often false. It's not that
uncommon for me to have several browsers running on several computers
viewing the same site all on the same monitor. Your application
should distinguish carefully between per-USER data and per-SESSION
data (for example, each session has its own shopping cart, but the
paid-until date is shared by all sessions for the same user, and
the download limit is probably per-user, not per-session).

Incidentally, I think for many applications, if you must prevent
duplicate logins, on detection of a duplicate, allow the current
login and log out ALL THE OTHERS using the same username. (I'm not
real sure how to do this in a bulletproof way, but if you use session
handlers to put the session data in a database rather than the
default temporary files, finding other sessions with the same
username becomes easier. They'd go back to the login page on the
next attempt to load a page.) This prevents legitimate users from
having a number of problems including having their system crash/reboot
and then not being able to get back in until after an annoyingly
long timeout.
The solution from what Ive read seems to be using another
variable to check whether or not the user is already logged in (a simple
yes or no). Simple enough. I imagine logging out normally and deleting
all values removes this and then the cookie is deleted. But, what if the
browser is simply closed?
If there is another session with the same username AND the timestamp
is not stale, you have a duplicate login. Act accordingly. It
MIGHT be caused by a recently-closed browser. The situation will
correct itself after the timeout period.

If there is another session with the same username and the timestamp
is stale, this might be a case of just closing the browser. You ought
to ignore records with stale timestamps (as though they don't exist),
as they can't be used any more.
If I understand how everything works the cookie
will still be there for a set period until its removed automatically.
What if the user logs in, closes the browser, and tries to log in again?
Is the value saying the login already exists still there? Or am I
Most likely, YES, and the user will be locked out. If you are
using timestamps, the lockout will only be for the timeout period.
thinking I need a solution to a problem that is already transparently
handled?


Gordon L. Burditt
Jul 17 '05 #4
Ian.H <ia*@WINDOZEdig iserv.net> wrote in
news:v7******** *************** *********@4ax.c om:
Right.. so are you using _SESSIONs or _COOKIEs? (or both?)

By default, both have "the same" lifespan.. for the duration of the
session. When the user closes the browser, the _SESSION or _COOKIE
data is removed (presuming you're not using cookies and setting a
specified expiration date) thus I believe you're looking for an answer
to an irrelevant question as when the user closes the browser, _all_
session data will be destroyed, including the 'i_am_logged_in ' value..
whatever you use to distinguish =)

HTH.

Regards,

Ian


Session cookies (as opposed to cookies on the users computer). Yes the
cookie does have an expiration date, so it will no longer work if the
computer is left unattended for a set time, say an hour. Several of the
authentication examples I read sets the time... then sets the time limit
to a negative amount (or before the current time) on logout so it will be
deleted when the session is ended. If I read the other post correctly,
perhaps the thing to do is store the last time any protected page was
accessed, get the time of next access, and if the difference is more than
1 hour, delete the current session and redirect to the login page?
Jul 17 '05 #5
Theo <in*****@noemai l.com> wrote in message news:<Xn******* *************** **@216.168.3.44 >...
Question for the group

The authentication system for the site Im working on seems to function
properly and all is good. A session keeps track of everything and a
cookie is used to accept or deny access... sounds as it should be I hope.
Then when all is done logging out destroys everything and the pages are
no longer accessable. Good so far.

But two things come to mind: one is preventing multiple logins of the
user/password. The solution from what Ive read seems to be using another
variable to check whether or not the user is already logged in (a simple
yes or no). Simple enough. I imagine logging out normally and deleting
all values removes this and then the cookie is deleted. But, what if the
browser is simply closed? If I understand how everything works the cookie
will still be there for a set period until its removed automatically.
What if the user logs in, closes the browser, and tries to log in again?
Is the value saying the login already exists still there? Or am I
thinking I need a solution to a problem that is already transparently
handled?


1. <http://martin.f2o.org/php/login>
2. Session _may_ also use cookies (just to store the session id)
3. If you want to avoid multiple logins, just store the session id in
user table (when he logins) and see (on every pages) if the user's
current session id is the one which is stored in DB when logins.
Storing IP may also sometimes work, but if the user is behind proxy,
it will create problem.
4. No need to check timestamp as session will expire after the
specified time in INI settings.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #6
In article <Xn************ *************@2 16.168.3.44>, Theo wrote:
If I read the other post correctly,
perhaps the thing to do is store the last time any protected page was
accessed, get the time of next access, and if the difference is more than
1 hour, delete the current session and redirect to the login page?


If you're referring to mine, you've misunderstood ;)
user logs in -> store current time in session and in database.
user requests page -> compare session and database time.
If the user logs in a second time, the time in the database will change.
So the first session time != database time.
This way:

They can always log in. (Don't have to wait for expiration time)
Only the last session will be valid.

--
Tim Van Wassenhove <http://www.timvw.info>
Jul 17 '05 #7
Tim Van Wassenhove <eu**@pi.be> wrote in
news:2r******** *****@uni-berlin.de:
In article <Xn************ *************@2 16.168.3.44>, Theo wrote:
If I read the other post correctly,
perhaps the thing to do is store the last time any protected page was
accessed, get the time of next access, and if the difference is more
than 1 hour, delete the current session and redirect to the login
page?


If you're referring to mine, you've misunderstood ;)
user logs in -> store current time in session and in database.
user requests page -> compare session and database time.
If the user logs in a second time, the time in the database will
change. So the first session time != database time.
This way:

They can always log in. (Don't have to wait for expiration time)
Only the last session will be valid.


wouldnt be the first time I dont get something right off the bat. But it
sounds like in the above that login #2 would override #1, whether or not
#1 is still active.
Jul 17 '05 #8
In article <Xn************ ***********@216 .168.3.44>, Theo wrote:
Tim Van Wassenhove <eu**@pi.be> wrote in
news:2r******** *****@uni-berlin.de:
In article <Xn************ *************@2 16.168.3.44>, Theo wrote:
If I read the other post correctly,
perhaps the thing to do is store the last time any protected page was
accessed, get the time of next access, and if the difference is more
than 1 hour, delete the current session and redirect to the login
page?


If you're referring to mine, you've misunderstood ;)
user logs in -> store current time in session and in database.
user requests page -> compare session and database time.
If the user logs in a second time, the time in the database will
change. So the first session time != database time.
This way:

They can always log in. (Don't have to wait for expiration time)
Only the last session will be valid.


wouldnt be the first time I dont get something right off the bat. But it
sounds like in the above that login #2 would override #1, whether or not
#1 is still active.


Yes, that is the concept of one login per account, no? :)

--
Tim Van Wassenhove <http://www.timvw.info>
Jul 17 '05 #9

"Theo" <in*****@noemai l.com> wrote in message
news:Xn******** *************** *@216.168.3.44. ..
Question for the group

The authentication system for the site Im working on seems to function
properly and all is good. A session keeps track of everything and a
cookie is used to accept or deny access... sounds as it should be I hope.
Then when all is done logging out destroys everything and the pages are
no longer accessable. Good so far.

But two things come to mind: one is preventing multiple logins of the
user/password. The solution from what Ive read seems to be using another
variable to check whether or not the user is already logged in (a simple
yes or no). Simple enough. I imagine logging out normally and deleting
all values removes this and then the cookie is deleted. But, what if the
browser is simply closed?
If the browser is closed then nothing is sent to the web server to say so,
so any session data you have on the server will just hang around until
something happens. This can be one of the following:
(a) Another request appears which references that session_id.
(b) Expired session data is deleted by PHP.
If I understand how everything works the cookie
will still be there for a set period until its removed automatically.
By default the cookie which stores the session name and session id is a
temporary cookie. This means that it resides in memory only for the duration
of that browser session. If the user closes his browser, opens it again and
access your site there will be no session cookie for that new browser
session, so PHP will create a new session.

OTOH if the user logs in then opens up a new browser window and logs in
again then both browser instances will share the same session cookie
therefore the same session data. Even if the second login were to generate a
new session id this would be written out to the session cookie and therefore
picked up by the first login.

--
Tony Marston

http://www.tonymarston.net
What if the user logs in, closes the browser, and tries to log in again?
Is the value saying the login already exists still there? Or am I
thinking I need a solution to a problem that is already transparently
handled?

thx

(note: I sent an email about this earlier today, but I dont see it so Im
sending it again)

Jul 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
7209
by: Chewy509 | last post by:
Hi Everyone, I'll just start, and say I am not a PHP developer (I'm a sysadmin, who has gotten lumped with a non-working website). But since I like to do this type of stuff, I though I might just learn WTF is going on? :) Basically, sessions are being created, but no info in being stored in the session, and if data is stored (about 1 in 20 goes), it doesn't follow-on on a page redirect.
13
12059
by: jing_li | last post by:
Hi, you all, I am a newbee for php and I need your help. One of my coworker and I are both developing a webpage for our project using php. We have a copy of the same files in different location on the server (in our own accounts on the same machine). When I am testing both versions of our program using the same browser (IE on Windows or Konqueror on Linux) the session variables will mix up and only the latest selection or options will...
4
3118
by: Steve | last post by:
Hi, I need to be able to open another browser from within an already opened browser with a completely new session (using the same session variables). How can I do this? In essence, I want to allow a (super) user to be logged in as another user but without closing his/her own original session. I've tried everything but the new browser overwrites the old session variables. I even tried 'regenerating' a new session ID but the new ID...
0
1478
by: Gleep | last post by:
Hey PHP Gurus, I have some complex scripts that work fine. I have a system where sessions are validated on every page of my application to keep them secure. Everything runs fine when I test and code things. But I am also fanatical about updating the browser for security patches and remove all spyware, virues etc.. But some of my clients are not that savy and that leads me to my first question. Occasionally I have a client complain that...
3
2221
by: Colin McKinnon | last post by:
Hi all, The title says it all - I'm doing sessions with cookies. I can divide the data within the session easily enough but I can't see when the user creates a new window or closes an old one. TIA, C.
9
2654
by: Bartosz Wegrzyn | last post by:
I need help with sessions. I createt set of web site for nav with authorization. first I go into main.php which looks like this: <?php //common functions include_once '../login/common.php'; global $LOGINDIR;
2
1944
by: | last post by:
Its strange...I have experimenting with browser hawk by using the cookie sniffer method. However, even If adjust the security slider level in internet options or goto advanced in the privacy tab I cannot seem to prove the condition below....it is almost as if cookies don't want to die in my testing environment. I did try closing the browser and relaunching but cookies and session ids seem alive and well....is this the usual hassle with...
5
4561
by: Mark | last post by:
Hi, I want to run in my .Net Windows Form this statement System.Diagnostics.Process.Start(strURLCommand) to open the browser and navigate to the specified URL. The URL is an ASP.Net Web Page with authentication mode="Forms". In this way, the browser displaies the
3
28360
Atli
by: Atli | last post by:
Introduction: Sessions are one of the simplest and more powerful tools in a web developers arsenal. This tool is invaluable in dynamic web page development and it is one of those things every developer needs to know how to use. This article explains the basics of PHP Sessions. Assumptions: Basic PHP knowledge is required (variables, arrays and such) HTML Forms. What are Sessions? Sessions are a way of storing data. When developing...
0
9836
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11249
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10473
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9651
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
8028
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7179
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5865
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
2
4288
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3298
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.