Sanity check - sessions and Firefox's save tabs feature

#1
[eluser]nuwanda[/eluser]
Yes, a sanity check.

Firefox has a feature that asks you, when closing multiple tabs, if you wish to save them. If you choose to save, those tabs are automatically opened when you next start the browser.

Now, I've been building my user login system using native PHP sessions (not CI's). It works perfectly, but, when I close FF with multiple tabs open (one of which is my test site), and reopen, I find I'm still logged in despite the fact that the session is due to expire on browser close. This doesn't happen when multiple tabs aren't saved.

I checked a few sites I visit regularly and found they all had the same behavior, including this very forum, and Facebook. Amazon behaves differently: if you log in but choose not to be remembered, despite saving multiple tabs on close, the browser does not remember your Amazon session.

I guess it depends on what your perspective is. If saving multiple tabs also means that your session state should also be saved, then everything is as it should be.

But if you have not asked to be specifically remembered across visits, then why should FF save your session along with the tab?

Anyone else been bemused by this behavior?

#2
[eluser]Narkboy[/eluser]
I suspect that Firefox is more concerned with the browsing experience than making life easy for developers. How many users would find the 'remember tabs' feature pointless if mommy wasn't logged into her yahoo mail account after a restart...

It does make security a bit of an issue though, I have to say. Public computers etc. etc..

Anyway - good spot because I never use (and don't know anyone who does) the saved tab feature..

#3
[eluser]WanWizard[/eluser]
Ran some tests here. If you choose the restore tabs (or restore a session in case FF crashes), all cookies of that session are restored as well. So you'll end up with a valid cookie, as if the session never stopped.

Amazon doesn't rely on only a session cookie, it also creates a session-id-time and a session-token cookie. The session-token cookie has a 10 minute expiry, so they don't work with expire on browser close, but with a fixed timeout. Which you can also do with the CI session cookie...


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.