开发者

Do session cookies expire when the browser is closed?

开发者 https://www.devze.com 2023-01-18 17:54 出处:网络
I have a PHP application where I set $_SESSION[\'user\']=\"logged\" once a user is aut开发者_开发问答henticated. I call this loginpage.php.

I have a PHP application where I set $_SESSION['user']="logged" once a user is aut开发者_开发问答henticated. I call this loginpage.php.

Once authenticated and the session variable set, the user is taken to a member page which starts with the lines:

<?php
session_set_cookie_params(0,'/');
session_start();
if($_SESSION['user'] != 'logged') {
header ("Location:loginpage.php");
}?>

When a user has logged in, closes the browser and then visits the members page, I expect him to be redirected to loginpage.php.

However, this does not happen. The session cookie is still there in the browser - I tested this using Firefox.

Could someone explain to me where I'm getting it wrong?


The answers above, including the accepted one, are wrong.

Session cookies don't expire on the browser close because of some design decisions made by prominent browsers developers.

Basically, session expiring cookies interfered with the current browser behavior, where a browser downloads updates and then asks to be restarted. The user after such updates restarts the browsers and wants to experience an as minimal disruption as possible. Keeping the original session cookies behavior, however, would instantly clear a number of cookies during the browser update => restart process and would disrupt user experience. Therefore design decisions were made so that now the default behavior is to not clear the session cookies. Advanced users who want to return to the original behavior usually have to enable specific backward compatibility options or explicit cookie clear options.


The cookie should be deleted, because you set his lifetime to 0.

Maybe there is still a firefox-process running, take a look into the taskmanager.


Also you should terminate your script after header('Location:'), otherwise it'll just continue running and output the "secure" page to the client (or if you are lucky to the web server that will hopefully ignore it) anyway and consuming resources.


Look here.

"The expiration timestamp is set relative to the server time, which is not necessarily the same as the time in the client's browser."

Could be that... dunno.

0

精彩评论

暂无评论...
验证码 换一张
取 消