FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Expire session on browser close or back button
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Expire session on browser close or back button [message #172868] Mon, 07 March 2011 09:45 Go to next message
mohan is currently offline  mohan
Messages: 2
Registered: March 2011
Karma: 0
Junior Member
I am developing one website in which I have the following requirements
which are pretty much similar to banking website behavior:
- Expire session when browser is closed
- Expire session when user clicks on back button of browser
- Do not show the page if user directly copy pastes the URL to
navigate to a page

Can someone please provide me suggestion on how to implement this. I
am using Centos, nginx and php combination.
Re: Expire session on browser close or back button [message #172869 is a reply to message #172868] Mon, 07 March 2011 10:11 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 3/7/2011 10:45 AM, mohan wrote:
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed

If you do not set the 'expires' for a cookie, it will default to what is
named "session cookie". A session cookie will expire when the browser is
closed.


> - Expire session when user clicks on back button of browser

Not directly.
What you can do is sessionid-rotation and/or session in cookie only.

To use session in cookie only, set this in your php.ini.
Look for: session.use_only_cookies

You might also want to read the following paper on session-fixation (and
its solution: sessionid-rotation).
It contains some good background information and in-depth analysis of
your situation.
http://www.acros.si/papers/session_fixation.pdf

The bottomline with the BACK button is that behavior differs from
browser to browser, and you should solve your problem serverside, not
clientside. SO go for sessionid-rotation.


> - Do not show the page if user directly copy pastes the URL to
> navigate to a page

That is solved if the URL is NEVER used to find a sessionid.
Demand a cookie, see above.


>
> Can someone please provide me suggestion on how to implement this. I
> am using Centos, nginx and php combination.

That should be OK.

Good luck.
Regards,
Erwin Moller

--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
Re: Expire session on browser close or back button [message #172870 is a reply to message #172868] Mon, 07 March 2011 12:55 Go to previous messageGo to next message
Michael Fesser is currently offline  Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
Senior Member
.oO(mohan)

> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed

Happens automatically with session cookies.

> - Expire session when user clicks on back button of browser

Not possible. What really happens when moving back one page is left to
the browser. It may request the previous page again or simply serve it
from its cache. Nothing wrong with that.

Some applications may have a problem with that, especially if there's
heavy use of AJAX and the like. But that's a problem in the application,
not in the browser's behaviour.

> - Do not show the page if user directly copy pastes the URL to
> navigate to a page

Why not? The browser has to send a request to the server, so the user
can always see the URL and may open it directly in another tab for
example. And from the server's POV it doesn't make a difference whether
the user followed a link or directly copied the URL into the browser's
address bar. In the first case there might be a referrer header, but you
can't safely rely on that.

Maybe you can explain in some more detail why you need alle the above
(except for the first issue, which is nothing special).

Micha
Re: Expire session on browser close or back button [message #172871 is a reply to message #172870] Mon, 07 March 2011 13:23 Go to previous messageGo to next message
Captain Paralytic is currently offline  Captain Paralytic
Messages: 204
Registered: September 2010
Karma: 0
Senior Member
On Mar 7, 12:55 pm, Michael Fesser <neti...@gmx.de> wrote:
> .oO(mohan)
>
>> I am developing one website in which I have the following requirements
>> which are pretty much similar to banking website behavior:
>>     - Expire session when browser is closed
>
> Happens automatically with session cookies.
>
>
> Maybe you can explain in some more detail why you need alle the above
> (except for the first issue, which is nothing special).
>
> Micha
This doesn't seem to be the case with FF4, which opens with a "Restore
Previous Session" button.
Re: Expire session on browser close or back button [message #172872 is a reply to message #172870] Tue, 08 March 2011 10:31 Go to previous messageGo to next message
mohan is currently offline  mohan
Messages: 2
Registered: March 2011
Karma: 0
Junior Member
On Mar 7, 5:55 pm, Michael Fesser <neti...@gmx.de> wrote:
> .oO(mohan)
>
>> I am developing one website in which I have the following requirements
>> which are pretty much similar to banking website behavior:
>>     - Expire session when browser is closed
>
> Happens automatically with session cookies.
>
>>     - Expire session when user clicks on back button of browser
>
> Not possible. What really happens when moving back one page is left to
> the browser. It may request the previous page again or simply serve it
> from its cache. Nothing wrong with that.
>
> Some applications may have a problem with that, especially if there's
> heavy use of AJAX and the like. But that's a problem in the application,
> not in the browser's behaviour.
>
>>     - Do not show the page if user directly copy pastes the URL to
>> navigate to a page
>
> Why not? The browser has to send a request to the server, so the user
> can always see the URL and may open it directly in another tab for
> example. And from the server's POV it doesn't make a difference whether
> the user followed a link or directly copied the URL into the browser's
> address bar. In the first case there might be a referrer header, but you
> can't safely rely on that.
>
> Maybe you can explain in some more detail why you need alle the above
> (except for the first issue, which is nothing special).
>
> Micha

Hi,

Thanks for the inputs. We are developing a site that has some payment
related functionalities. Our client wanted to have the above 3
mentioned session related handling exactly the way it is done in
banking websites. So we are looking for options on implementing the
same.
Re: Expire session on browser close or back button [message #172873 is a reply to message #172872] Tue, 08 March 2011 11:51 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 3/8/2011 5:31 AM, mohan wrote:
> On Mar 7, 5:55 pm, Michael Fesser<neti...@gmx.de> wrote:
>> .oO(mohan)
>>
>>> I am developing one website in which I have the following requirements
>>> which are pretty much similar to banking website behavior:
>>> - Expire session when browser is closed
>>
>> Happens automatically with session cookies.
>>
>>> - Expire session when user clicks on back button of browser
>>
>> Not possible. What really happens when moving back one page is left to
>> the browser. It may request the previous page again or simply serve it
>> from its cache. Nothing wrong with that.
>>
>> Some applications may have a problem with that, especially if there's
>> heavy use of AJAX and the like. But that's a problem in the application,
>> not in the browser's behaviour.
>>
>>> - Do not show the page if user directly copy pastes the URL to
>>> navigate to a page
>>
>> Why not? The browser has to send a request to the server, so the user
>> can always see the URL and may open it directly in another tab for
>> example. And from the server's POV it doesn't make a difference whether
>> the user followed a link or directly copied the URL into the browser's
>> address bar. In the first case there might be a referrer header, but you
>> can't safely rely on that.
>>
>> Maybe you can explain in some more detail why you need alle the above
>> (except for the first issue, which is nothing special).
>>
>> Micha
>
> Hi,
>
> Thanks for the inputs. We are developing a site that has some payment
> related functionalities. Our client wanted to have the above 3
> mentioned session related handling exactly the way it is done in
> banking websites. So we are looking for options on implementing the
> same.

Although it may not be reliable, you can check the referrer to
see where the customer came from or you can put time references
into the E_SESSION array.
Or you can deconstruct the banking websites and tell us all how
they do it.

bill
Re: Expire session on browser close or back button [message #172874 is a reply to message #172868] Tue, 08 March 2011 12:11 Go to previous messageGo to next message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
Senior Member
El 07/03/2011 10:45, mohan escribió/wrote:
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
> - Expire session when user clicks on back button of browser

Banking sites in Spain are sometimes awful (thankfully not always) but
they don't log you out every time you attempt to use your browser's
history. It must be terribly frustrating to manage your accounts in your
country...


> - Do not show the page if user directly copy pastes the URL to
> navigate to a page

This is very important. Imagine they use bookmarks to skip the start
page ads ;-P


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
Re: Expire session on browser close or back button [message #172875 is a reply to message #172868] Tue, 08 March 2011 17:51 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On 07/03/11 09:45, mohan wrote:
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed

session cookie

> - Expire session when user clicks on back button of browser

client side onunload event that uses XMLHttpRequest to notify the server
to end the session - this will only work if the person viewing the page
has javascript enabled, and hasn't over-ridden onunload events handlers
for the website eg using greasemonkey in firefox.

> - Do not show the page if user directly copy pastes the URL to
> navigate to a page

check the referrer

Rgds

Denis McMahon
Re: Expire session on browser close or back button [message #172876 is a reply to message #172868] Tue, 08 March 2011 20:14 Go to previous message
D. Stussy is currently offline  D. Stussy
Messages: 2
Registered: March 2011
Karma: 0
Junior Member
"mohan" <kodaliece(at)gmail(dot)com> wrote in message
news:2fd4901b-a947-4a21-9727-4224bb2b6b25(at)l14g2000pre(dot)googlegroups(dot)com...
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed

A session cookie will expire automatically without an expires field.

> - Expire session when user clicks on back button of browser

Not possible. All pages are part of the session. However, using an
"Expires:" header (with a date in the past) on individual pages (not the
expires field for the session cookie) might provide you with what you need.

> - Do not show the page if user directly copy pastes the URL to
> navigate to a page

Check the request's "Referer:" header. If it's blank, then either the URL
was directly entered or the header is disabled in the browser.

> Can someone please provide me suggestion on how to implement this. I
> am using Centos, nginx and php combination.
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Stats comp.lang.php (last 7 days)
Next Topic: hai
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 10 05:31:11 GMT 2024

Total time taken to generate the page: 0.02477 seconds