 Expire session on browser close or back button [message #172868] |
Mon, 07 March 2011 09:45  |
mohan
Messages: 2
Registered: March 2011
Karma: 0
|
Junior Member |
|
|
I am developing one website in which I have the following requirements
which are pretty much similar to banking website behavior:
- Expire session when browser is closed
- Expire session when user clicks on back button of browser
- Do not show the page if user directly copy pastes the URL to
navigate to a page
Can someone please provide me suggestion on how to implement this. I
am using Centos, nginx and php combination.
|
|
|
|
| Re: Expire session on browser close or back button [message #172869 is a reply to message #172868] |
Mon, 07 March 2011 10:11  |
Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/7/2011 10:45 AM, mohan wrote:
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
If you do not set the 'expires' for a cookie, it will default to what is
named "session cookie". A session cookie will expire when the browser is
closed.
> - Expire session when user clicks on back button of browser
Not directly.
What you can do is sessionid-rotation and/or session in cookie only.
To use session in cookie only, set this in your php.ini.
Look for: session.use_only_cookies
You might also want to read the following paper on session-fixation (and
its solution: sessionid-rotation).
It contains some good background information and in-depth analysis of
your situation.
http://www.acros.si/papers/session_fixation.pdf
The bottomline with the BACK button is that behavior differs from
browser to browser, and you should solve your problem serverside, not
clientside. SO go for sessionid-rotation.
> - Do not show the page if user directly copy pastes the URL to
> navigate to a page
That is solved if the URL is NEVER used to find a sessionid.
Demand a cookie, see above.
>
> Can someone please provide me suggestion on how to implement this. I
> am using Centos, nginx and php combination.
That should be OK.
Good luck.
Regards,
Erwin Moller
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
|
|
|
|
|
|
|
|
|
|
| Re: Expire session on browser close or back button [message #172873 is a reply to message #172872] |
Tue, 08 March 2011 11:51 |
bill
Messages: 310
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 3/8/2011 5:31 AM, mohan wrote:
> On Mar 7, 5:55 pm, Michael Fesser<neti...@gmx.de> wrote:
>> .oO(mohan)
>>
>>> I am developing one website in which I have the following requirements
>>> which are pretty much similar to banking website behavior:
>>> - Expire session when browser is closed
>>
>> Happens automatically with session cookies.
>>
>>> - Expire session when user clicks on back button of browser
>>
>> Not possible. What really happens when moving back one page is left to
>> the browser. It may request the previous page again or simply serve it
>> from its cache. Nothing wrong with that.
>>
>> Some applications may have a problem with that, especially if there's
>> heavy use of AJAX and the like. But that's a problem in the application,
>> not in the browser's behaviour.
>>
>>> - Do not show the page if user directly copy pastes the URL to
>>> navigate to a page
>>
>> Why not? The browser has to send a request to the server, so the user
>> can always see the URL and may open it directly in another tab for
>> example. And from the server's POV it doesn't make a difference whether
>> the user followed a link or directly copied the URL into the browser's
>> address bar. In the first case there might be a referrer header, but you
>> can't safely rely on that.
>>
>> Maybe you can explain in some more detail why you need alle the above
>> (except for the first issue, which is nothing special).
>>
>> Micha
>
> Hi,
>
> Thanks for the inputs. We are developing a site that has some payment
> related functionalities. Our client wanted to have the above 3
> mentioned session related handling exactly the way it is done in
> banking websites. So we are looking for options on implementing the
> same.
Although it may not be reliable, you can check the referrer to
see where the customer came from or you can put time references
into the E_SESSION array.
Or you can deconstruct the banking websites and tell us all how
they do it.
bill
|
|
|
|
|
|
|
|
| Re: Expire session on browser close or back button [message #172876 is a reply to message #172868] |
Tue, 08 March 2011 20:14 |
D. Stussy
Messages: 2
Registered: March 2011
Karma: 0
|
Junior Member |
|
|
"mohan" <kodaliece(at)gmail(dot)com> wrote in message
news:2fd4901b-a947-4a21-9727-4224bb2b6b25(at)l14g2000pre(dot)googlegroups(dot)com...
> I am developing one website in which I have the following requirements
> which are pretty much similar to banking website behavior:
> - Expire session when browser is closed
A session cookie will expire automatically without an expires field.
> - Expire session when user clicks on back button of browser
Not possible. All pages are part of the session. However, using an
"Expires:" header (with a date in the past) on individual pages (not the
expires field for the session cookie) might provide you with what you need.
> - Do not show the page if user directly copy pastes the URL to
> navigate to a page
Check the request's "Referer:" header. If it's blank, then either the URL
was directly entered or the header is disabled in the browser.
> Can someone please provide me suggestion on how to implement this. I
> am using Centos, nginx and php combination.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]