Session expire and browser options: nonsense

Question

Me and my colleague developing a site, and a misteryous thing happened.

We told to our co-worker to close all the tabs and browser windows (to destroy the session), and start a new one. He did it, and came back with the same error. We figured out, that he set his browser (in our case in chrome, but this option are in other browsers too): Settings -> On start -> continue where finished (or something like that, mine browser is not english).

I never used my browser like this, but as others says, a lot of people use it.

In this case, there is no guarantee that a browser close is clear the session cookies, the only way when I can be sure, if user logout, and logout process is destroy the session, (or unset those variables what related to login).

I think, I should not explain why it is really bad. What can I do with this? I am affraid, nothing, the browser is save this session when closed, and reload when open.

Time related solutions are not acceptable.

How all of you handle this behaviour in your PHP scripts? At public places this is threat to life.

Answer 1

The session is time based. Nobody has a better and practical solution yet.

You are not in control of events that happen on the browser, such as whether they will clean the cookies on a restart. It is up to the browser manufacturer, who might in turn ask the user in some options.

As you realise, there are a few vulnerabilities in this security model but no system can be really safe without cooperation from the client.

Techniques to mitigate this problem include:

• sessions that expire soon (you can refresh them on each page load)
• CSRF tokens in all forms
• re-asking the user for its password for really sensitive operations (such as a password change)