Jean, This is a common challenge with a pretty easy solution.
First, in case you are curious why the session can be reestablished, the bookmarked page likely has the session identifier in the query string. Thus, it is unnecessary for the browser to send a cookie, because it is sending the session identifier as a GET variable. This is what PHP is using to identify the client. It is a bad idea to depend on the timeout of a cookie or the session cleanup process to maintain a session timeout mechanism. Instead, you should keep a timestamp stored as a session variable that you use to make any time-based decisions for that session. For example: $_SESSION["last_access"] = gmmktime(); To use this value to enforce a timeout, you would make a check similar to the following to make sure it hasn't been too long since the last access: $seconds_idle = gmmktime() - $_SESSION["last_access"]; If the number of seconds they have been idle is too long for you, force them to reenter their password or even completely reauthenticate to continue. If the idle time is acceptable to you, reset the session variable to the current time. Chris --- Jean-Christian Imbeault <[EMAIL PROTECTED]> wrote: > I've made a site in PHP and on some pages a user needs to log > in first before gaining access to the page. (i.e. there is a > log in page). > > Once the user has logged in I keep that fact in a session > variable so that he doesn't need to log in again. > > However I have found out that if: > > 1- the user logs in > 2- bookmarks the page > 3- closes the browser > 4- opens the browser > 5- goes to the saved bookmark page > > He has access to the page. I.e. the session did not > close/terminate when he closed his browser ... > > In Netscape 7 I have checked the stored cookie and it is set > to expire at the end of the session (which is the default I > think), so I don't understand why the PHP thinks the session > is still opened ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
