How to prevent sessions from being saved

[evansste]

I'm building a website that uses session variables.  My understanding of session variables is that they only exist as long as the browser is open -- meaning that once the browser closes, the session variables are lost.  

 

My website anticipates this to be the case, but I have found that my session variables are being stored (possibly in cookies).

 

When I close the browser, and then reopen it and return to my website, I find that the session variables are still set.  Shouldn't they be disappearing when the browser closes?

 

This is a big problem since my website assumes that the information is lost.  Is there some way for me to make sure that my session variables aren't being saved in cookies?  That way, when the browser closes, no information has been saved, and therefore, when I return to the website, there should be no session variables.  Is there any way to do this?  If so, how?

 

I've tried using the "session_set_cookie_params(0);" statement before my "session_start();" as follows.

 

<?php

session_set_cookie_params(0);

session_start();

?>

 

However, this didn't work.  Am I not using "session_set_cookie_params" correctly?  Why does my browser remember my session variables?

 

Thanks for your time, and for any help that anyone is willing to provide.

[mac_gyver]

when you are closing your browser, are you closing ALL instances of your browser?

 

if even one instance of your browser is open (or even in the case where your browser has messed up or has intentionally been messed with by a site and remains running as a process, but there's no visible window open), then the session id cookie will be retained and opening an instance of the browser will give you back the previous session variables.

[evansste]

Thanks, mac_gyver, for responding to my post.

 

I think my problem had something to do with cookies already being saved on my browser prior to me making the "session_set_cookie_params(0);" change to my website, because it seems to be working now.  After making the change, I went into my browser settings and deleted all of the cookies, but that didn't work at the time.  However, it seems to be working now -- like some sort of delayed effect.  Maybe you were right that some instance of my browser hadn't closed, and I just didn't know it, I don't know.  Now when I close my browser, and reopen it, the session variables are gone.  However, I now have another question, and based on your post, I think I know the answer.

 

Is there any way to make it so that the session variables will vanish once all browser tabs for my website have been closed, rather than having to shut down the entire browser?  Based on your response, I'm guessing that your answer is "no", but I feel I have to ask.  It seems as if the "session_set_cookie_params" function works when closing the entire browser, but not when all tabs, for my site, are closed.  Do you know of a way to make the session variables disappear when all of the tabs to my site are closed, or am I living in a dream world to think that it may be possible?

 

Thanks again for responding to my question.  I really appreciate your time and attention.

[ginerjm]

Have you read the manual??

 

Try this reference:   http://us2.php.net/manual/en/function.session-destroy.php

[evansste]

Thanks for your response, ginerjm.

 

I know that there are many ways to destroy session variables, or end a session, at will.  However, I have no control over when a person will close a tab, or close a browser, which makes most of the "at will" functions ineffective.  On top of that, once they close the tab, any script that I have written will no longer be available to execute.  That's what makes this so tricky.

 

If session variables really lived up to their name as being temporary variables that only exist as long as your pages are open, then I'd have nothing to worry about.

 

I'm relatively new when it comes to building websites and I obtained over 90% of my site-building knowledge by reading w3schools.com information.  That's where I first learned of the session variable.  On that site, it makes it seem as if the session variables are only alive as long as your pages are open, and that once your pages close, the session ends, and the variables are gone.  I built a great deal of my website around this concept.  Now I'm finding that this notion isn't so accurate.

 

At least the "session_set_cookie_params" function will cause the browser to not use cookies.  This at least makes it so that the variables have never been saved, and therefore are not around when the browser closes, and reopens.  If only there's a way to do that with tabs, and not just the entire browser.  I know it's a long shot, but I felt the need to at least check with people who have a lot more experience than I.

 

Thanks again for your response.  One of the things that I like more about w3schools.com is that they are more detailed when it comes to describing and using functions, and site-programming in general.  The manual mentions more of the functions that actually exist.  However, I find the descriptions more vague.  Maybe you're right, though.  Maybe I need to spend more time looking there.  My first impression is that most of these functions are "at will" functions.

 

I'll take a closer look at the "session_destroy" function.  Maybe it's what I need.

 

Thanks again for your help.

Edited July 6, 2014 by evansste

[ginerjm]

The general opinion of many is that w3schools is NOT what it appears to be.  But.....

 

As for your fears about sessions.  It is my understanding that they do go away once ALL occurrences of your browser are closed down.  Not just tabs, but the application itself should you have multiple browsers (of the same manuf) open.  Sometimes I have noticed that if I re-open my IE within seconds of having shut it down, the session will be there, but if it is closed for 30 seconds or so, it is totally gone, so I'm not sure what you are concerned about.

[evansste]

ginerjm, ever since I put the "session_set_cookie_params(0);" before the "session_start" statments on all of my pages, you're right -- the session is destroyed once the web browser closes.  This is certainly much better than what it was doing before, which is holding onto the variables after the browser closed.

 

My concern is based on the way that my website works.  On my website, I use session variables in a similar way that the DMV uses their "take-a-number" system.  McDonald's also uses this system.  If you go inside and place an order, you're given your receipt that has a ticket number at the top.  You wait for them to call out your ticket number so that you can get your order.  My website works the same way.  It processes jobs for people who submit them.  Once they submit a job, a session variable is created and given a unique value in order to keep track of the job's progress.  Once the job is delivered, the session variable is destroyed.

 

If a person closes all tabs to my website without properly canceling their job, my site keeps the job number in the system as it continues to work on it.  The site will only hold onto the job for so long.  If the person doesn't claim it, the session variable is destroyed, and is then allowed to be used by a newcomer.

 

Because the browser holds onto session variables until the browser is closed, a person can start a job, close all of the tabs, and still have that session variable as long as their browser is open.  Once the website realizes that the job has been abandoned (it was never retrieved), it will destroy the variable.  Then if a newcomer visits the site, and starts a new job, they may get the job name that was used before, because the site has destroyed the variable, allowing it to be used again.  But if the person, who closed the tabs without canceling the job) comes back.  Their browser will remember the job number.  Now there are two people in the system with the same job.  So when the new person's job completes, it may go to the old user.  Or if the old user now decides to cancel the job properly, they may cancel the newcomer's job.  This is a problem.

 

I may have to design the site so that it won't reuse variable names that have been destroyed.  It may have to always create a completely new job name by using index numbers that increase into the millions everytime a new job is created.  I hate to have to do this.  However, if session variables aren't actually destroyed once a person leaves the site, there's always a chance that two people may end up using the same variable.  It's a remote chance, but I'm a believer in Murphy's law.

 

If I can make it so that the variables are destroyed once all pages are closed, this would make the current system stable without having to make new variable names that extend into the millions. 

[Stefany93]

session_set_cookie_params(0);

Remove this line. Also, you can disable the sessions on window unload using JS + AJAX.

[evansste]

Well, I've finally given up trying to make it so that the browser won't remember session variables once all pages are closed.  As of now, my website officially uses indicies that can run into the billions when it comes to generating unique job names.  It's ugly and less elegant, but at least it should prevent more than one person having the same job name.

 

I started to look into disabling sessions on window unload, as Stefany93 suggested.  However, I was still unable to get anything to work when it comes to the sessions being forgotten once all pages are closed.  The "session_set_cookie_params(0);" statement does work when the entire browser is closed, so I've decided to keep it.

 

Thanks to everyone who has given me advice and suggestions pertaining to this topic.  I greatly appreciate your time, and I certainly don't take your help for granted.  So thanks to all of you.

 

I now have a new problem to deal with.  But since it is a different issue, I'll start the topic with a different thread.