doushao8399 2017-08-11 18:04
浏览 49
已采纳

强制在每个新的浏览器会话中登录用户?

I want to logout user if browser is closed and force it to login again on turning the browser on. 

if (!(isset($_SESSION['admin']))) {
    header ('Location: login.php');
}

This doesn't work - because turning off the browser does not mean drop the sessions on server - if I understand well a lot of posts on SO and outside.

Using javascript to delete sessions just before closing the browser often doesn't work because browser will not wait to execute any code if user clicks to close the browser.

Second option is keeping server session alive by sending a js code from client (setInterval - ajax).

Problem here is scenario with multiple pages open on different tabs/windows, i.e. interference between multiple setInterval functions.

I also tried this: 

session_set_cookie_params(0);
session_start();

This also doesn't work - after turning off/on the browser index.php is open without redirecting to login.php.

The reason is maybe browser option to automatically restore previously loaded pages.

So, what to do ?

  • 写回答

3条回答 默认 最新

  • douzhanlai4671 2017-08-11 19:17
    关注

    @Axalix wrote:

    If session relies on cookies, you just need to keep expiry date empty, then when browser / tab is closed this cookie will be removed from a browser automatically. That's a standard browsers behavior. Yes, the server will still keep it, but since browser doesn't have it, user will need to relogin

    You responded:

    could that be a possible security issue because cookies are javascript stuff - chengable by client?

    Yes cookies can be changed by the client but Axalix' answer from the comments is still the best if you intend to use $_SESSION. If you want to end session on browser exit so that a 2nd user doesn't come later and take over the old session, then you must trust the owner of the session with the session cookie.

    If you really want to break access as soon as the client leaves, then $_SESSION is not the best tool to track login state. Instead you could use WebSockets. The socket remains open as long as the webpage is open. Once the socket closes, you can invalidate any login state.

    This may be more trouble than it's worth though, so think hard about whether it is really that important. As an alternative, you could use SessionStorage, which is destroyed when the browser closes but it's also available to the user (so a user could just copy and save what's in SessionStorage, then recreate it later).

    Basically you need to trust the user who provided you the username and password.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?