Do session cookies expire when the browser is closed?

Question

I have a PHP application where I set $_SESSION['user']="logged" once a user is authenticated. I call this loginpage.php.

Once authenticated and the session variable set, the user is taken to a member page which starts with the lines:

<?php
session_set_cookie_params(0,'/');
session_start();
if($_SESSION['user'] != 'logged') {
header ("Location:loginpage.php");
}?>

When a user has logged in, closes the browser and then visits the members page, I expect him to be redirected to loginpage.php.

However, this does not happen. The session cookie is still there in the browser - I tested this using Firefox.

Could someone explain to me where I'm getting it wrong?

Answer 1

The cookie should be deleted, because you set his lifetime to 0.

Maybe there is still a firefox-process running, take a look into the taskmanager.

Answer 2

Look here.

"The expiration timestamp is set relative to the server time, which is not necessarily the same as the time in the client's browser."

Could be that... dunno.

Answer 3

Also you should terminate your script after header('Location:'), otherwise it'll just continue running and output the "secure" page to the client (or if you are lucky to the web server that will hopefully ignore it) anyway and consuming resources.