Re: Is Session Always Cleared?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

on 25-9-2008, Jonathan Wood supposed :
Hans,

What exactly do you mean by "multiple users logging in from the same computer"?

I'm sorry. It's hard to know how to better state it than that. Unless you clarify which part is unclear.


I gave some possibilities below

If there is just one user at a time then there shouldn't be a problem.
If the first user closes his browser after he is finished, the session cookie is forgotten. A new browser instance will use a new session.
When the first user logs out, you can destroy the session server side (Session.Abandon).

Well, I don't know if it's a given that the browser was closed in between. But even if it was, the cookie could remain after the browser is closed. However, what if any data remains from that cookie is something I don't know.


The session cookie has no expiry-date so the browser treats it as a temporary cookie. It does not get stored and disappears as soon as the browser is closed.

However, two users at *the same time* from the same computer could lead to problems. The various browser windows could use the same cookie set. So when a second user opens a new window, he could be automatically using the session of the first user.

No, I'm not considering the possibility that multiple users were logging on to the site one the same computer at the same time.

I think that firefox uses the same cookieset for all it's windows. For IE it depends on how the new window is started.

In fact, the case where I have the most information about the problem (which isn't much) is specifically on FireFox. But I still don't see how this could be an issue.


A guess: the first user did not log out and did not close his browser window, but minimised it. The second user thought he started a fresh instance of the browser but got a new window of the first instance, with the session cookie (and thus the session) of the first user.

Thanks.

Jonathan


.

Relevant Pages

  • Re: _SESSION weirdness behind a NAT firewall/router: bug?
    ... that the 'sess_deleted' file is actually being used as a session ID. ... force the cookie to expire. ... Any $_SESSION values introduced by one browser become part of the ... I re-load the non-logged-in index page in Opera. ...
    (comp.lang.php)
  • Re: php session without cookie useage
    ... >>> browser or the application to maintain the state if needed. ... >>> transfer a session key created on login to subsequent pages via a POST ... >>> browser via a cookie or via POST or GET. ... > That may block legitimate users using a round-robin proxy (different ...
    (comp.lang.php)
  • Re: Detecting loss of session
    ... > a request. ... From what I've read on session cookies ... > sending) them as soon as they expire, not when the browser is closed? ... If you don't set the expiration on a Cookie, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Cookies , Session Which is Better ? and Global.asa Question
    ... YOU SHOULD NEVER STORE PERSONALLY IDENTIFIABLE INFORMATION IN A ... If you needed to store personal information in a cookie use non ... impossible - its much harder for me to hijack session information from ... The average time a session lasts is 20 mins. So, when your browser ...
    (microsoft.public.inetserver.asp.general)
  • Re: Is Session Always Cleared?
    ... If the first user closes his browser after he is finished, the session cookie is forgotten. ...
    (microsoft.public.dotnet.framework.aspnet)