2

index.php

session_start(); if (!(isset($_SESSION['admin']))) { header ('Location: login.php'); }

I want to redirect a user if it's not loged in.
After login (without remember me), I turn off the browser (Chrome) and turn it on again.

All sessions should be removed, so I expect a redirection to login.php, but it doesn't work (index.php is loaded).

Improve this question
6
  • "All sessions should be removed" - they are not removed. Show us the code saving the data to session. Commented Aug 11, 2017 at 6:34
  • Simply you can do in this way if (isset($_SESSION['admin'])) { // do somthing }else{ header ('Location: login.php'); } Commented Aug 11, 2017 at 6:35
  • @bonaca, After login, php session should not be remove even if you close browser and reopen it again. Commented Aug 11, 2017 at 6:36
  • 1
    try var_dump($_SESSION['admin']) and check what is thr in it? Commented Aug 11, 2017 at 6:36
  • session_set_cookie_params(0); and then session_start(); Commented Aug 11, 2017 at 6:38

2 Answers 2

Reset to default
1

If you see a session as "a browser session", then this is surprising behaviour. But this is not the case.

A session is a session as defined by the server. To remember that this is that same user, it saves the session as a cookie. For the point of view of the server, it doesn't really matter if you close your browser, shut down your computer, or drink a cup of coffee: you are still that same, unique, person, so your session should be the same.

As long as your cookies are saved AND are not too old, it's all the same session. You could, from the user side, try to instruct your client to stop this, for instance on a shared account: have the browser remove all cookies on exit or use different profiles (this at least is possible in chrome).

So the expected behaviour is that as long as the cookie is valid, the session is the same. Cookie validity (or actually: removal) CAN be tied to closing your browser, but most of the time it isn't. I am not sure it is even possible to directly detect if a browser was closed, so it's hard if not impossible to force your described behaviour from the server side.

edit: a quick addition from the manual:

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. All information is in the Session reference section.

It talks about "subsequent accesses", which is quite broad.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

yess I see a session as "a browser session". Thanks for your explanation.
0

You need to use session destroy function and then check. See the code below:-

session_destroy(); if (!(isset($_SESSION['admin']))) { header ('Location: login.php'); }

or an alternative is to use unset function then check:-

unset($_SESSION['admin']); if (!(isset($_SESSION['admin']))) { header ('Location: login.php'); }

Well to destroy the session you can use an ajax call on browser unload event:-

$(window).unload(function() { $.get('session_destroyer.php'); });
Improve this answer

2 Comments

He asking that if he close the browser and reopen again session should be remove and redirect to login. He don't want to remove session manually.
If I manually destroy sessions - redirection works, but I'm surprised by the fact that closing the browser sessions are not destroyed automatically.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.