Is there a way to clear specific $_session variable when navigating away from a page regardless of whether you hit the back button on IE or you click a button on the screen to take you to another location?

Nope!

PHP does not "know" if the user is navigating away or closing the page.

You could check to see if the user has navigated to the page from your site or from another site, if they came from your site then everything is ok, if not then unset the session var or destroy the session completely.

Quote:

You could check to see if the user has navigated to the page from your site or from another site,

Yep but how would you know?

There isn't even a reliable javascript method that signals unloading a page because the unload event fires when moving to a page on the same site, so if you destroy the session with a asynchronous call, you probably defeat the purpose of having the variable there in the first place.

The session will expire after 20 minutes anyway. So @dgkindy; Why is it a concern?

Using this $_SERVER['REQUEST_URI']? http://www.php.net/manual/en/reserve...les.server.php

Set a session vairable updating with the current $_SERVER['REQUEST_URI'] for every page.

Then on the page in question, check the referring page with the session containing the request_uri?

Not sure I get the point??

That is a deprecated method of reading the session values on a page or by a script. It does NOT allow the developer to clear a session variable as the use navigates AWAY from the page or site.
If the useragent goes to another page on the same site you have a choice of refreshing or retrieving the values or you could clear them.
HOWEVER as the "back button" simply retrieves the page from the local cache and does NOT request the page from the server the PHP code is NOT going to run.
If the user leaves the site totally no PHP code is going to run either so the session will continue to timeout.

Sorry Chris, didnt explain my thoughts properly.

What ive done is approach the challenge from a different angle, obviously we cant execute any php once the user leaves becasue the user no longer has any interaction with the scripts. Additionally PHP cant detect that the user has navigated away, it just stops functioning, we know this

What I am trying to think of is working the problem from the oposit direction, we cant tell the user has left the site but we do know when i user is on the site.

We can also detect where the user has come from. So, using this information can we not tell the page to clear the session if the user has navigated to said page from anywhere other than a list of safe pages/sites (if any) etc.

The possible problems with this that I can see (im sure there are more, and im sure you will be kind enough to explain them);

If a user leaves the site, presses back a few times, would this become insecure?

Does using $_SERVER open the possibility of other security issues?

Brain wave (Thinking out loud):

Would a possible solution be using a hidden form/post/get request using a unix time stamp tied to the session creation, i.e. that session is only valid for that page and cant be used after the timestamp?


dgkindy,
Maybe if you explain the context of what your trying to use this on it will spark an idear.

Quote:

we cant tell the user has left the site but we do know when i user is on the site

Sure and each user request will reset the session timeout and maintain the session variables/values.

Quote:

We can also detect where the user has come from. So, using this information can we not tell the page to clear the session if the user has navigated to said page from anywhere other than a list of safe pages/sites (if any) etc.

This isn't really an issue as the session only exists from the first access between the useragent and the server.
Session data is ONLY valid or accessible between the server it was created on and the client that started the session.
Accessing the same site with two different browsers, say IE and Firefox simultaneously will result in TWO independent sessions and neither browser (User Agent) can access the session created by the other.
Other servers cannot access the information in session variables from another server.
So knowing the referrer is on no value it this case.

PHP has an automatic garbage collection when the session times out but does not fire any event or trigger a function the can be accessed by programmers.
ASP has the Session_OnEnd method in Global.asa which can be used to cleanup or cascade other functions/procedures after the user has left and timeout occurs.

PHP has no equivalent method (as far as I am aware).

Quote:

Does using $_SERVER open the possibility of other security issues?

Not especially

Quote:

Would a possible solution be using a hidden form/post/get request using a unix time stamp tied to the session creation, i.e. that session is only valid for that page and cant be used after the timestamp?

This happens anyway with the timeout, which can of course be changed in php.ini and session ID for client 'A' would be invalid for client 'B'.

The best bet would be to set the expirery of the session for a shorter amount of time.

Quote:

Originally Posted by chrishirst

Not especially


This happens anyway with the timeout, which can of course be changed in php.ini and session ID for client 'A' would be invalid for client 'B'.

Ok, thanks

Quote:

Originally Posted by mgraphic

The best bet would be to set the expirery of the session for a shorter amount of time.

I agree 100% ... just let the session handler handles it.