Do session cookies expire when the browser is closed?
https://stackoverflow.com/questions/3869271
-
28-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a PHP application where I set $_SESSION['user']="logged" once a user is authenticated. I call this loginpage.php.
Once authenticated and the session variable set, the user is taken to a member page which starts with the lines:
<?php
session_set_cookie_params(0,'/');
session_start();
if($_SESSION['user'] != 'logged') {
header ("Location:loginpage.php");
}?>
When a user has logged in, closes the browser and then visits the members page, I expect him to be redirected to loginpage.php.
However, this does not happen. The session cookie is still there in the browser - I tested this using Firefox.
Could someone explain to me where I'm getting it wrong?
Solution
The cookie should be deleted, because you set his lifetime to 0.
Maybe there is still a firefox-process running, take a look into the taskmanager.
OTHER TIPS
The answers above, including the accepted one, are wrong.
Session cookies don't expire on the browser close because of some design decisions made by prominent browsers developers.
Basically, session expiring cookies interfered with the current browser behavior, where a browser downloads updates and then asks to be restarted. The user after such updates restarts the browsers and wants to experience an as minimal disruption as possible. Keeping the original session cookies behavior, however, would instantly clear a number of cookies during the browser update => restart process and would disrupt user experience. Therefore design decisions were made so that now the default behavior is to not clear the session cookies. Advanced users who want to return to the original behavior usually have to enable specific backward compatibility options or explicit cookie clear options.
Also you should terminate your script after header('Location:'), otherwise it'll just continue running and output the "secure" page to the client (or if you are lucky to the web server that will hopefully ignore it) anyway and consuming resources.
"The expiration timestamp is set relative to the server time, which is not necessarily the same as the time in the client's browser."
Could be that... dunno.
