I need to run this code:
<?PHP
$pin=$_GET["pin"];
unlink("../users/$pin/host.php");
unlink("../users/$pin/votes.php");
unlink("../users/$pin/guest.php");
rmdir("../users/$pin");
echo "Session ended";
?>
Which is located at php/endsesh.php
Basically, when you start a session it creates you a folder with a pin number, and it places a host, guest and votes file.
I need this PHP script to run when the tab is closed, so it can delete all those files (Otherwise I'm just overloading my server with files)
So far I'm trying this with no luck:
<script>
window.onbeforeunload = function() {
alert("<?php include("http://musicdemo.hol.es/php/endsesh.php?pin=" . $_GET["pin"]; ?>");
$.get("http://musicdemo.hol.es/php/endsesh.php?pin=<?php echo $_GET["pin"]; ?>");
return false;
return "If you exit this page your session will not end. Please either allow the pop-up, by staying in this page and closing again, or click the link saying 'Close this session'";
}
</script>
neither the alert or the $.get commands work.
onbeforeunload is a highly secured, sandboxed event. It's really designed solely to catch people with "are you sure you want to close this window" messages, so I'm pretty sure it doesn't allow more advanced features such as an ajax call. To do so would open up security holes that allow malicious sites to prevent you from closing the window.
I think doing an ajax call to clean up server side session files is not the appropriate strategy anyway, since the browser could easily crash, laptop could lose power, user could lose network connectivity preventing the ajax call etc. You can't rely on that ajax call succeeding.
PHP already has very good session handling capabilities via session_start() and the $_SESSION global variable, which already has a built in cleanup feature for expiring old sessions.
If you absolutely must keep your current solution, what I would do is run a cron job every hour, day, week, whatever, that searches for any of your files that haven't been accessed in say 24 hours and deletes them.
Also I should note that taking a $_GET and passing it directly to unlink is one of the worst, most insecure things you can do in php. If you have that running on a server right now, you need to fix it immediately, since a malicious user could potentially do something like http://musicdemo.hol.es/php/endsesh.php?pin=../../../../../../etc/passwd. if 'pin' is a number, you should at least do something like:
<?PHP
$pin=$_GET["pin"];
$pin = (int) $pin; // ensure pin is converted to an integer
unlink("../users/$pin/host.php");
unlink("../users/$pin/votes.php");
unlink("../users/$pin/guest.php");
rmdir("../users/$pin");
echo "Session ended";
?>
This code looks to be incorrect, try:
<script>
window.onbeforeunload = function() {
$.get("http://musicdemo.hol.es/php/endsesh.php?pin=<?php echo $_GET["pin"]?>");
return false;
return "If you exit this page your session will not end. Please either allow the pop-up, by staying in this page and closing again, or click the link saying 'Close this session'";
}
</script>
It looks like your alert line is messing this up.
remove alert().
keep $.get.
Have you seen the apache logs?
Probably you could have a permission problems (chmod +x endsesh.php).
I think i will give a try with exec (http://it2.php.net/function.exec).
But before you have to understand if endsesh.php is reached.