0

In FireFox if a user logs into a web app and closes the browser, the next time the browser is opened and "Restore Previous Session" selected the user will still be logged in.

This behavior has been discussed here.

What I want to know is how to prevent this? I made a decision that users should be logged out when they close their browser. I'm using WAMP and by default session.cookie_lifetime=0 in the php.ini file. Shouldn't this destroy the session cookie when the browser is closed, or does "restore previous session" somehow keep a backup that isn't effected by this? I'm not sure but this could be a problem with WAMP more than anything else.

It's definitely possible because this site does it http://www.mathhelpboards.com/private.php

Community
  • 1
  • 1
Celeritas
  • 14,489
  • 36
  • 113
  • 194

1 Answers1

3

The whole point of the restore session feature of Firefox is that it doesn't destroy session cookies when the browser is closed and reopened. It's up to the individual user to make that decision, not the owner of the site.

That said, there are cases where it's probably appropriate - e.g. a banking site or similar. The solution then is to invalidate the session on the server side - if the user has been inactive for a certain amount of time then close the session and ask them to log in again.

Mark Parnell
  • 9,175
  • 9
  • 31
  • 36