Session Destroy when one browser tab gets closed

0
votes

BackGround I made a webapp where the user need to login to use the functionalities in the webapp.

I'd like to make it fairly secure on the Session side (to avoid leaving a Session opened). I know the session get destroyed by default when the browser gets closed (you close all your Chrome tabs). I also added this PHP code on the logout button to destroy it.

<?php
session_start();
unset($_SESSION['username']);
unset($_SESSION['password']);
session_destroy();
header('location: somelocation');
?>

My issue is when the user only close the browser tab where the application is, the session won't get destroyed and he will be able to reopen it without doing the login again. So if the user has a YouTube (e.g.) tab opened and he close only the tab where my application is, the session won't get destroyed. There's a way to detect it and destroy the session? I already took a look at: logout user when browser or tab is closed and destroy session when broswer tab closed But they do not answer my question. Thanks in advice.

3
phpsession
javascript it - on window unload - run the php scripttreyBake

3 Answers

1
votes

Due to the nature of the client/server model there is no easy way to do what you want. If the user may stay idle for a while after loading your page, he can also close the tab and open it again. You have no control of what the clients do in the client side. There are simple javascript methods to do this such as the unload event, but they are not reliable and often don't work.

You may use websockets to ensure the client is always connected or do several ajax requests in the background and keep a timeout of a few seconds in your session, but those methods will disconnect the user if his internet connection drops even for a few moments.

3
votes

I would suggest that you should make an AJAX call to a PHP function which will destroy the session. The code you wrote in your question will work. But there is a trick to initiate an AJAX call.

When the user closes the browser tab, the ajax will be initiated and the session will be destroyed. Here I have shown how:

var flag_var = false;
function pageCleanup()
{
    if (!flag_var)
    {
        $.ajax({
            type: 'GET',
            async: false,
            url: 'SomeUrl.com/php_file.php',
            success: function ()
            {
                flag_var = true;
            }
        });
    }
}


$(window).on('beforeunload unload', function ()
{
    //this will work only for Chrome
    pageCleanup();
});
0
votes

There is a nuance we found with session timing out although the user is still active in the session. The problem has to do with never modifying the session variable.

The GC will clear the session data files based on their last modification time. Thus if you never modify the session, you simply read from it, then the GC will eventually clean up.

To prevent this you need to ensure that your session is modified within the GC delete time. You can accomplish this like below. 

<?php 
if( !isset($_SESSION['last_access']) || (time() - $_SESSION['last_access']) > 60 ) 
  $_SESSION['last_access'] = time(); 
?>

This will update the session every 60s to ensure that the modification date is altered.

Reference PHP Session