Posted by shimmyshack on 03/06/07 01:36

On Mar 5, 8:38 pm, "dimo414" <dimo...@gmail.com> wrote:
> > ...if they select No I want the
> > session to destroy so other users can not see the info the previous user put
> > in the form by selecting the back button in IE.
>
> Saving form data between pages (unless you're script is doing it, in
> which case you can just put in controls to stop it) is a browser
> operation, nothing to do with the server. The best way for a user to
> be relatively sure their form submissions (along with their session
> data) is destroyed, is to close the browser. I would suggest simply
> putting a note at the end of the form to close the browser if the user
> is worried about others seeing what they entered.

dimo be careful what you suggest.
sessions is server based data storage, a token being sent to the
browser and then back to the server to link the browser by way of an
ID with the data from the form serialised and stored as session data
on the server against that ID.
Using a browser to "store" data is bad design. If you are posting a
multipage form why waste the servers time if you want to handle the
storage locally anyway.
Session detruction by closing the browser is again not reliable as it
depends on the implementation of the session server side as to whether
this even works. For instance well written sessions implement timeouts
which might last 5 minutes after the browser is closed, besides which
you might not have actually closed all the windows when you reopen the
browser. On top of this you are expecting a process to happen
automatically simply because the restarting of the browser means the
browser has "forgotten" the session ID, I havent checked this but I
would be willing to bet an infinitesimal amount of pretne dmoney that
firefox remembers session ID if it thinks it has crashed - as it does
remember form details - I stress I could be wrong, but relying on
browsers for funtionality you can code for youself seems wrong.
There is no reason why a session destroy script cannot be called
automatically. Even using a thankyou image

<img src="/great_big_smiley_disguised_as_session_destroy_image.php" />

which deleted the data would be easy and standard. I can't see the
reason why this isn't the way to go. Obviously though not an image but
a button which POST's (because it changes state of the app) to a
session_destroy script. This script could be the same script that you
use for an logout.

[Back to original message]