| Expire session on browser close or back button [message #172868] |
Mon, 07 March 2011 09:45  |
mohan
Messages: 2
Registered: March 2011
Karma: 0
|
Junior Member |
|
|
I am developing one website in which I have the following requirements
which are pretty much similar to banking website behavior:
- Expire session when browser is closed
- Expire session when user clicks on back button of browser
- Do not show the page if user directly copy pastes the URL to
navigate to a page
Can someone please provide me suggestion on how to implement this. I
am using Centos, nginx and php combination.
|
|
|
|
| Re: Expire session on browser close or back button [message #172869 is a reply to message #172868] |
Mon, 07 March 2011 10:11  |
Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/7/2011 10:45 AM, mohan wrote:
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
If you do not set the 'expires' for a cookie, it will default to what is
named "session cookie". A session cookie will expire when the browser is
closed.
> - Expire session when user clicks on back button of browser
Not directly.
What you can do is sessionid-rotation and/or session in cookie only.
To use session in cookie only, set this in your php.ini.
Look for: session.use_only_cookies
You might also want to read the following paper on session-fixation (and
its solution: sessionid-rotation).
It contains some good background information and in-depth analysis of
your situation.
http://www.acros.si/papers/session_fixation.pdf
The bottomline with the BACK button is that behavior differs from
browser to browser, and you should solve your problem serverside, not
clientside. SO go for sessionid-rotation.
> - Do not show the page if user directly copy pastes the URL to
> navigate to a page
That is solved if the URL is NEVER used to find a sessionid.
Demand a cookie, see above.
>
> Can someone please provide me suggestion on how to implement this. I
> am using Centos, nginx and php combination.
That should be OK.
Good luck.
Regards,
Erwin Moller
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
|
|
|
|
| Re: Expire session on browser close or back button [message #172870 is a reply to message #172868] |
Mon, 07 March 2011 12:55 |
Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
.oO(mohan)
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
Happens automatically with session cookies.
> - Expire session when user clicks on back button of browser
Not possible. What really happens when moving back one page is left to
the browser. It may request the previous page again or simply serve it
from its cache. Nothing wrong with that.
Some applications may have a problem with that, especially if there's
heavy use of AJAX and the like. But that's a problem in the application,
not in the browser's behaviour.
> - Do not show the page if user directly copy pastes the URL to
> navigate to a page
Why not? The browser has to send a request to the server, so the user
can always see the URL and may open it directly in another tab for
example. And from the server's POV it doesn't make a difference whether
the user followed a link or directly copied the URL into the browser's
address bar. In the first case there might be a referrer header, but you
can't safely rely on that.
Maybe you can explain in some more detail why you need alle the above
(except for the first issue, which is nothing special).
Micha
|
|
|
|
| Re: Expire session on browser close or back button [message #172871 is a reply to message #172870] |
Mon, 07 March 2011 13:23 |
Captain Paralytic
Messages: 204
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Mar 7, 12:55 pm, Michael Fesser <neti...@gmx.de> wrote:
> .oO(mohan)
>
>> I am developing one website in which I have the following requirements
>> which are pretty much similar to banking website behavior:
>> - Expire session when browser is closed
>
> Happens automatically with session cookies.
>
>
> Maybe you can explain in some more detail why you need alle the above
> (except for the first issue, which is nothing special).
>
> Micha
This doesn't seem to be the case with FF4, which opens with a "Restore
Previous Session" button.
|
|
|
|
| Re: Expire session on browser close or back button [message #172872 is a reply to message #172870] |
Tue, 08 March 2011 10:31 |
mohan
Messages: 2
Registered: March 2011
Karma: 0
|
Junior Member |
|
|
On Mar 7, 5:55 pm, Michael Fesser <neti...@gmx.de> wrote:
> .oO(mohan)
>
>> I am developing one website in which I have the following requirements
>> which are pretty much similar to banking website behavior:
>> - Expire session when browser is closed
>
> Happens automatically with session cookies.
>
>> - Expire session when user clicks on back button of browser
>
> Not possible. What really happens when moving back one page is left to
> the browser. It may request the previous page again or simply serve it
> from its cache. Nothing wrong with that.
>
> Some applications may have a problem with that, especially if there's
> heavy use of AJAX and the like. But that's a problem in the application,
> not in the browser's behaviour.
>
>> - Do not show the page if user directly copy pastes the URL to
>> navigate to a page
>
> Why not? The browser has to send a request to the server, so the user
> can always see the URL and may open it directly in another tab for
> example. And from the server's POV it doesn't make a difference whether
> the user followed a link or directly copied the URL into the browser's
> address bar. In the first case there might be a referrer header, but you
> can't safely rely on that.
>
> Maybe you can explain in some more detail why you need alle the above
> (except for the first issue, which is nothing special).
>
> Micha
Hi,
Thanks for the inputs. We are developing a site that has some payment
related functionalities. Our client wanted to have the above 3
mentioned session related handling exactly the way it is done in
banking websites. So we are looking for options on implementing the
same.
|
|
|
|
| Re: Expire session on browser close or back button [message #172873 is a reply to message #172872] |
Tue, 08 March 2011 11:51 |
bill
Messages: 310
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 3/8/2011 5:31 AM, mohan wrote:
> On Mar 7, 5:55 pm, Michael Fesser<neti...@gmx.de> wrote:
>> .oO(mohan)
>>
>>> I am developing one website in which I have the following requirements
>>> which are pretty much similar to banking website behavior:
>>> - Expire session when browser is closed
>>
>> Happens automatically with session cookies.
>>
>>> - Expire session when user clicks on back button of browser
>>
>> Not possible. What really happens when moving back one page is left to
>> the browser. It may request the previous page again or simply serve it
>> from its cache. Nothing wrong with that.
>>
>> Some applications may have a problem with that, especially if there's
>> heavy use of AJAX and the like. But that's a problem in the application,
>> not in the browser's behaviour.
>>
>>> - Do not show the page if user directly copy pastes the URL to
>>> navigate to a page
>>
>> Why not? The browser has to send a request to the server, so the user
>> can always see the URL and may open it directly in another tab for
>> example. And from the server's POV it doesn't make a difference whether
>> the user followed a link or directly copied the URL into the browser's
>> address bar. In the first case there might be a referrer header, but you
>> can't safely rely on that.
>>
>> Maybe you can explain in some more detail why you need alle the above
>> (except for the first issue, which is nothing special).
>>
>> Micha
>
> Hi,
>
> Thanks for the inputs. We are developing a site that has some payment
> related functionalities. Our client wanted to have the above 3
> mentioned session related handling exactly the way it is done in
> banking websites. So we are looking for options on implementing the
> same.
Although it may not be reliable, you can check the referrer to
see where the customer came from or you can put time references
into the E_SESSION array.
Or you can deconstruct the banking websites and tell us all how
they do it.
bill
|
|
|
|
| Re: Expire session on browser close or back button [message #172874 is a reply to message #172868] |
Tue, 08 March 2011 12:11 |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
El 07/03/2011 10:45, mohan escribió/wrote:
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
> - Expire session when user clicks on back button of browser
Banking sites in Spain are sometimes awful (thankfully not always) but
they don't log you out every time you attempt to use your browser's
history. It must be terribly frustrating to manage your accounts in your
country...
> - Do not show the page if user directly copy pastes the URL to
> navigate to a page
This is very important. Imagine they use bookmarks to skip the start
page ads ;-P
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
| Re: Expire session on browser close or back button [message #172875 is a reply to message #172868] |
Tue, 08 March 2011 17:51 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 07/03/11 09:45, mohan wrote:
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
session cookie
> - Expire session when user clicks on back button of browser
client side onunload event that uses XMLHttpRequest to notify the server
to end the session - this will only work if the person viewing the page
has javascript enabled, and hasn't over-ridden onunload events handlers
for the website eg using greasemonkey in firefox.
> - Do not show the page if user directly copy pastes the URL to
> navigate to a page
check the referrer
Rgds
Denis McMahon
|
|
|
|
| Re: Expire session on browser close or back button [message #172876 is a reply to message #172868] |
Tue, 08 March 2011 20:14 |
D. Stussy
Messages: 2
Registered: March 2011
Karma: 0
|
Junior Member |
|
|
"mohan" <kodaliece(at)gmail(dot)com> wrote in message
news:2fd4901b-a947-4a21-9727-4224bb2b6b25(at)l14g2000pre(dot)googlegroups(dot)com...
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
A session cookie will expire automatically without an expires field.
> - Expire session when user clicks on back button of browser
Not possible. All pages are part of the session. However, using an
"Expires:" header (with a date in the past) on individual pages (not the
expires field for the session cookie) might provide you with what you need.
> - Do not show the page if user directly copy pastes the URL to
> navigate to a page
Check the request's "Referer:" header. If it's blank, then either the URL
was directly entered or the header is disabled in the browser.
> Can someone please provide me suggestion on how to implement this. I
> am using Centos, nginx and php combination.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]