#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Posts
    12
    Rep Power
    0

    Session Variables and Mozilla


    Hi All
    Just recently I have discovered that the newer versions of Mozilla are preserving session variables across browser closings!
    This is causing some real security problems for my site and I would assume anyone's site. Is anyone else out there encountering this! Thanks in advance.

    May all your pain be champagne!
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    0
    Specify says that if you put 0 in lifetime of cookies, the browser has to delete them when you close it.

    This behavior is not guaranteed; for this reason if you have a seriously security problems you have to check the session on server side. (remember client data is not sure because people can change it).

    My advice is: check a maximum session lifetime on server side.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Posts
    12
    Rep Power
    0
    Originally Posted by ignorant
    Specify says that if you put 0 in lifetime of cookies, the browser has to delete them when you close it.

    This behavior is not guaranteed; for this reason if you have a seriously security problems you have to check the session on server side. (remember client data is not sure because people can change it).

    My advice is: check a maximum session lifetime on server side.
    Thanks for the response. I am not sure but I don't think that session variables are considered cookies - again, not sure. But the case I am talking about is in the time frame of seconds. My client is do the testing. He connects to the site goes through the login sequence and proceeds to execute page penetration. He then logs out closes the browser and then goes back into the site but specifies a page 3 levels past the login and gains access. I am using sessions variables to test the validity of page entry; if the email address is not present in the specified session variable which is stored after login I execute a "die" command to force exit from the site - granted not tippy toe! If the client attempts this procedure before an initial login he is thrown out of the site. This is only happening with Mozilla with no redirect specified as one of the operating parameters. I was under the impression that when a browser is closed ram was cleared on both client and server sides?
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    0
    When you start a PHP session, the server create and send a session ID (unique id) to the client.
    The client save this in a file like session cookie.
    In the next requests the browser send the unique id to the server and in this way you have a session (the http protocol is stateless and this is a way to create a session).

    The session's variables are stored on server and are joined with the unique ID. The server delete them when the session is finished. The server can't know if the browser was closed if the browser do not collaborate.

    For your problem you can check a $_SERVER["HTTP_REFERER"], this variable contains the previous page and in your case should be empty if your user reopen the browser (yes, if people want can edit that variable).

    It can be a solution?

    Ps. sorry for my english
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Hi,

    no, you do not check the referrer, because many people choose to keep their privacy and suppress this header altogether.

    What you need to do is read up on how sessions work and how to delete them. If your user has explicitly logged out and the session still exists afterwards, it's clearly an implementation error on your part (in the PHP code). You need to fix it.

    Firefox only saves session cookies if you have it restore all tabs. Did you client complain about it? Then tell them how to configure Firefox and turn this behaviour off (see the link).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    0
    Originally Posted by Jacques1
    What you need to do is read up on how sessions work and how to delete them.
    Yeah Jacques1 is right.
    I had missed this step
    Originally Posted by Jacques1
    He then logs out
    and I have assumed that the user only close the browser without logout.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,967
    Rep Power
    374
    Originally Posted by ignorant

    and I have assumed that the user only close the browser without logout.
    which is a valid assumption, you can have browser/OS crashes, user simply exits his browser.
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Posts
    12
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    no, you do not check the referrer, because many people choose to keep their privacy and suppress this header altogether.

    What you need to do is read up on how sessions work and how to delete them. If your user has explicitly logged out and the session still exists afterwards, it's clearly an implementation error on your part (in the PHP code). You need to fix it.

    Firefox only saves session cookies if you have it restore all tabs. Did you client complain about it? Then tell them how to configure Firefox and turn this behaviour off (see the link).
    First let me say thanks to all of you. I am new to the PHP game so the probability of incorrect implementation is high. I think Jacques1 is seeing the problem rather comprehensively - the session is not being "destroyed". I will spend some time digesting this session architecture today and return to the fight. Again thanks to all for the mental update! This truly is a great site for finding help/answers!
  16. #9
  17. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Maybe there are use cases I've never come across, but why would you want the session destroyed when the user closes their browser?

    I wouldn't care about that personally. I'd just have the sessions destroyed either when they reach a predefined expiration time, or when the user explicitly logs out in your application.

    Give the user a cookie with the same expiration time as your server-side session and browsers should respect that; they can close/reopen and return to your site without having to log in again, so long as the expiration time hasn't been reached.

IMN logo majestic logo threadwatch logo seochat tools logo