how do i get a session to end when someone exits the site

[philstockham]

i have added login authentication and sessions to the admin section of my site. However, this is my first experience of sessions. It seems that when i close the browser and then reopen it the pages that should be protected by the code shown below do not take me to the login screen. is there a way to get session to end when someone leaves the site?? Also is there a better way to implement login authentication with sessions than i am currently doing??

<?
session_start();
echo $_SESSION['user'];
if($_SESSION['auth'])//true or false value of 1 or 0
{
echo " logged in!";
}
else
{
header("Location:login.html");
die();
}
?>

 

[jpadie]

check the value of $_SERVER['HTTP_REFERER']. if this is not blank or a page within your site then kill the session and force a new login.
this isn't a perfect solution though. other methods include reducing the timeout value.

 

[philstockham]

how do i reduce the timeout of the session?

 

[jpadie]

from your post, I am assuming that you are using cookies to identify the session. if you are using url rewrites you *most likely* wouldn't be facing the issue.

if you are using cookies either:

(a) adjust your auth functions to refer to and set an express cookie with a timeout value within your control.
or
(b) change the session.cookie_lifetime directive in php.ini.

 

[sleipnir214]

philstockham:
Take a look at faq434-4908. It describes the hoops PHP jumps through when a script invokes session_start().

What I generally do is tweak session.gc_divisor or session.gc_probability so that garbage-collection happens every time a script invokes session_start().

Then I set session.gc_maxlifetime to something reasonable for my application.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[philstockham]

i'll have a try changing some settings in the php config file to see if i can get the session timout down.

thanks for your help