How do you properly close a php session before closing the browser?

say the user closes your site (tab or browser) and you want the session to be destroyed because you dont want an active session when the user turns their browser back on and goes to your page. How do you detect them leaving your site to close the active session?
19 Replies
MD
MDOP•8mo ago
all I was able to find is using js with the beforeUnloadEvent but not sure how to use it with php
Jochem
Jochem•8mo ago
you don't. You set the session cookie to expire at the end of the browser session if you really, really want to do that explicitly, you can use beforeUnloadEvent to do a call to an API endpoint to invalidate the current session, but there's no guarantee that'll work 100% of the time
MD
MDOP•8mo ago
how do you check the end of a browser session?
Jochem
Jochem•8mo ago
you don't, you set the cookie to expire at the end of the session the browser does that for you then
MD
MDOP•8mo ago
mostly im doing this because my $_SESSION is still active after closing unless I logout i have the session start very early on the page
Jochem
Jochem•8mo ago
define "active" there's no code running anywhere once the request's finished
MD
MDOP•8mo ago
when I tried starting it upon successful login, when you go to the login page again by url it doesn't automatically redirect you unless the session_start is very early in the code basically creating a re authentication loop starting it here does fix that
<?php
include('../helpers/validateForms.php');
include('../controller/usercontroller.php');

$validator = new Validate;
$userControl = new UserController;
$res = "";
session_start();
<?php
include('../helpers/validateForms.php');
include('../controller/usercontroller.php');

$validator = new Validate;
$userControl = new UserController;
$res = "";
session_start();
Jochem
Jochem•8mo ago
you start the session on every page load because you have to start it to access the data inside that "start" expires with every page load too, once the request is finished the "start" is discarded, and the session data stored on disk in temporary storage
MD
MDOP•8mo ago
hmm so what i did is ok? i just dont want the user to be able to access the login page again if already logged in
Jochem
Jochem•8mo ago
why? just overwrite the login session if they log in again
MD
MDOP•8mo ago
before i had session_start() in the $_POST['submit'] upon successful login but then it just made the user had to resign every time when they boot up the site even if they didn't close the browser
// Start a token
if(!isset($_SESSION['token'])) {
$_SESSION['token'] = md5(uniqid(mt_rand(), true));
}

// check if the user is already logged in.
if(isset($_SESSION['loggedIntoMDSite']) && isset($_SESSION['username'])) {
header("location: userpage.php");
exit;
}

// check if the user has a cookie saved
if(isset($_COOKIE['rememberme'])) {

$pastUser = $userControl->find_User_By_Cookie($_COOKIE['rememberme']);
if($pastUser == false) {
$res = "Cannot login by remember password. Must login again";
} else {
if($_COOKIE['rememberme'] == $pastUser['cookie']) {
$res = "Automatic login. Going to user page";
header("location: userpage.php");
exit;
} else {
$res = "Cannot log in. Please resign in";
}
}
}
// Start a token
if(!isset($_SESSION['token'])) {
$_SESSION['token'] = md5(uniqid(mt_rand(), true));
}

// check if the user is already logged in.
if(isset($_SESSION['loggedIntoMDSite']) && isset($_SESSION['username'])) {
header("location: userpage.php");
exit;
}

// check if the user has a cookie saved
if(isset($_COOKIE['rememberme'])) {

$pastUser = $userControl->find_User_By_Cookie($_COOKIE['rememberme']);
if($pastUser == false) {
$res = "Cannot login by remember password. Must login again";
} else {
if($_COOKIE['rememberme'] == $pastUser['cookie']) {
$res = "Automatic login. Going to user page";
header("location: userpage.php");
exit;
} else {
$res = "Cannot log in. Please resign in";
}
}
}
kinda difficult to test the cookie login 😄
Jochem
Jochem•8mo ago
usually session_start is one of the first things you do, but on the login page you sometimes have to delay it so that you can set the session cookie's lifetime appropriately
MD
MDOP•8mo ago
how do you delay it? just move it to where I had it before?
Jochem
Jochem•8mo ago
just put the call lower in the script once you have enough information to set it long or short
MD
MDOP•8mo ago
ah maybe below all those sessions and cookie check
Jochem
Jochem•8mo ago
no, you have to call session_start before you can use $_SESSION we went over this in your last thread, right?
MD
MDOP•8mo ago
oh
if(isset($_POST['submit'])) {

if(isset($_COOKIE[session_name()])) {
setcookie(session_name(), '',time() - 3600, '/');
}

$_SESSION[] = array();
session_destroy();
header("location: ../view/login.php");
exit;
}
if(isset($_POST['submit'])) {

if(isset($_COOKIE[session_name()])) {
setcookie(session_name(), '',time() - 3600, '/');
}

$_SESSION[] = array();
session_destroy();
header("location: ../view/login.php");
exit;
}
is their a reason that when you hit logout and the page doesn't change over? like you can't logout ill have to go back and check i haven't looked at this project in a week
Jochem
Jochem•8mo ago
I think, maybe, the setcookie call sends the headers? Check your error log and looking at that location, I think you're putting the path to the file relative to the current file? the Location header is interpreted by the browser, so it should be the path (absolute or relative) that goes in the URL bar. Could still be correct, but ../view/login.php makes me think that might not be correct
MD
MDOP•8mo ago
oddly it was working before I did the cookie stuff yeah i changed that back to login.php since they're in the same directory trying to find the error_log now well I goofed it up. I have error_log with no value but log_errors is set to on update: so here's what I figured out with my sessions... when you close the tab or just add a new one with the same site you have to reauthicate but if you use remember password it seems to work but that depends on the browser settings like it works with chromium but since my firefox runs everything in private browsing and closes and deletes cookies after use, nothing is retained to the user it could be annoying but it seems to work for the most part
Want results from more Discord servers?
Add your server