Search This Blog

Monday, January 02, 2006

Session closing problem on browser close

You have a website which requires authentication to access certain pages. You write a code for the same and you manage to make it work for logging in and logging out. If the user is not logged in, the page cannot be accessed as you wanted.

But lets say the user logs in and before loggin out closes browser and leaves. Somebody else comes in and tries to go directly to the restricted page and gets in with the first user logged in. For this you can set the session.cookie_lifetime to '0' which keeps the session alive till browser is closed.

But again this has a problem. The session gets terminated on browser close only if the browser is non-tabbed like IE. The problem exists with tabbed browsers like firefox. If you wish to allow 2 logins at the same time in two different tabs in same window you cant. I found a more severe problem with firefox regarding sessions. Lets say you have multiple firefox windows opened. You login using 1 window. Close that window (not just tab) without loggin out, and try accessing the restricted page using a new or a already existing window and you are in. Isnt this something unexpected. Thats because firefox doesnt terminate sessions till firefox as a whole application is closed and not just the window is closed.

So be carefull when you use such browsers on a public access machine...

No comments: