I'm building a web application that allows users to login to a database backend and update some records. I'm not a professional PHP developer by any means.
I've just noticed that, after opening the Chrome browser that is went to the last page it was on a few days ago (with a restart in between) which was one of the pages of the website that you can only access after logging in. I thought this was strange as the session should have expired by now.
At the top of each page I have:
session_start();
if the user logs in to the backend successfully I set a session variable like this:
$_SESSION['userAuthenticated'] = TRUE;
if the user clicks the logout button it does this:
$_SESSION = array();
session_unset();
session_destroy();
In my php.ini file I have the follow set:
session.cookie_lifetime 0 (0 for both local value and master value)
session.gc_maxlifetime 900 (900 for both local value and master value)
It was my understanding that the session would remain alive for 15 minutes and be destroyed if the user quits the browser completely. I've just been testing this and I can quit the browser completely, open it again and access one of the pages that should require login.
Am I doing something wrong here - I can't always expect the users to click the Logout button but I would expect the session to not working either after 15 minutes or if they quit their browser completely.
UPDATE: here's how I'm checking if a user is already authenticated:
if (!isset($_SESSION['userAuthenticated']) and $_SESSION['userAuthenticated'] !== TRUE) {
header('Location: index.php');
die;
}