How to handle browser close logouts in PHP?

Question

I have a problem with logged in users closing their browsers. My code can't run due to the browser closing and so their logonstatus cant update to 'N' in the database. Also due to the session being destroyed they cant go back to the main pages as I have this code if (!isset($_SESSION['logged in'])) { etc to prevent people from viewing any pages without logging in.

When a user logs on their logonstatus changes to 'Y' and I record the time they logged in. I record their lastactivity time on each page load. I redirect users to the login page and change their logonstatus if they have been idle for 20 min on a page. I also have a cron job due to the browser close issue which runs every 5 minutes and checks if the users last activity has been longer than 20 min and if so their logonstatus becomes 'N'

I think users having to wait 20+ min to re-login due to browser close is too long and so I would like to make it possible to login in again straight away.

I have read about the unload functions of javascript but apparently it is unreliable.

Is there any other way I could go about this?

Answer 1

Closing the browser is always a client side action. So you will need javascript to send the action to the server for PHP to do something.

You can use onbeforeunload to send something to the server, but it is indeed unreliable. A more reliable method is to make the session time a lot shorter (eg: 2min) and then have an ajax call every 30seconds to the server to keep the session alive (make sure its a page with a very small impact on server/connection). If the request fails 4 times, the session is destroyed. Now your cronjob can run every 2mins and a user only has to wait that long.

Another approach is to store a cookie on the users computer with a GUID and save it in the database with the "Logged ='Y'". Now when somebody tries to log in to an account which is already logged in, check if its the same user (cookie) and if so, allow it. This still makes it possible for one user to log in twice, just harder and not by mistake.

Answer 2

You need to change the duration of your session cookies so that they last as long as the browser window remains open; do this with session_set_cookie_params, setting the lifetime to 0. Don't forget to make sure that your cron script and PHP's session gc max lifetime don't delete sessions before 20 minutes have passed.

Since you keep a record of their last access time and check it on each request, you can continue to log out people after 20 minutes of inactivity (just destroy their session and redirect to the login page).