| Home | Facebook | Freeware |

Tuesday, September 21, 2010

PHPSESSID: FireFox Didn't destroy PHP SESSION on browser close


Now i know: PHPSESSID Cookie isn't destroyed with Firefox browser when it's closed.

Sessions are supposed to be destroyed when the browser application is closed. Users assume that if they close the browser, the next person to open it will not be able to view web applications they may have authenticated to. A sample php web page is included in 'Troubleshooting' section. To duplicate the problem publish the example code, load the page in FireFox. On first load, session is reported as not there. On reload, it's reported as intact. Then close the browser (choose 'Save & Close'). Open FireFox again. You will see the session has been maintained through a browser restart. This may be handy, but is rather dangerous, as many web applications assume that after the browser is closed, sessionID's are destroyed.

0 comments: