Thanks in advance, zeet If you store a map of userid to sessionid in the database then you could potentially read it from another machine (each time a user accesses your site) and invalidate the session the next time the user accesses the site.
There would be performance implications to this though in terms of additional database accesses.
What can be an alternative solution to invalidate a user session on browser closure ?
Session (in)validation is usually a server concept: a session is "valid" as long as the server considers it to be valid, i.e.
For example, there are well-known implementations, such as Microsoft ASP.
NET, making use of 120-bit random numbers for its session IDs (represented by 20-character strings ) that can provide a very good effective entropy, and as a result, can be considered long enough to avoid guessing or brute force attacks.
In order to keep the authenticated state and track the users progress within the web application, applications provide users with a session identifier (session ID or token) that is assigned at session creation time, and is shared and exchanged by the user and the web application for the duration of the session (it is sent on every HTTP request). With the goal of implementing secure session IDs, the generation of identifiers (IDs or tokens) must meet the following properties: The name used by the session ID should not be extremely descriptive nor offer unnecessary details about the purpose and meaning of the ID. Therefore, the session ID name can disclose the technologies and programming languages used by the web application.
but how do you think that above this code will work , if two persons were logged from two seperate Machines ??
If not, they invalidate the session and redirect the user to a login page.
If there is a match then the request continues on unimpeded and functions as normal.
The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques.
For this purpose, a good PRNG (Pseudo Random Number Generator) must be used.