I need to keep Security.level set on medium for Ajax reason. But I want that If the user close browser his session will destroy. How can I do that?
Thanks in advance!
+3
A:
Unless you're persisting session data (ie: storing session data in a cookie with an expiration date in the future), then the session should be destroyed when the user closes the browser.
Unfortunately I'm not familiar with the CakePHP framework so I cannot comment on its API. However, if you want to explicitly end a session you can do so in PHP with session_destroy().
Hope that helps.
Brian Driscoll
2010-10-28 15:53:02
A:
i guess you could fire on ajax command on page unload to call session_destroy()
NickAtuShip
2010-10-28 15:54:23
what if the browser crashes? i would do it the other way around: ajax post to a url every few few seconds. if this doesnt happen anymore, the user is not "on the website" anymore.
mark
2010-10-28 17:41:04
+1
A:
You could remove the session cookie with JS when the page is closed (remember: page close is also triggered when the user just navigates away - maybe just to the next page of yours).
sibidiba
2010-10-28 16:18:22
A:
http://book.cakephp.org/view/1317/destroy for CakePHP - but yes, CakePHP does set a proper session cookie which is deleted by the browser when it closes.
What you really are probably concerned about is session hijacking - and so you really want some kind of a logout on site closure. You can't do this - the best alternative method that I know of is:
- A short session timeout with an "Are you there?" AJAX refresh - the timeout can be controlled independently of the security level now using
Configure::write('Session.timeout', $seconds);, where for medium security level the timeout seconds are multiplied by 100. Banks use this method.
michaelc
2010-10-29 20:31:12