W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2008

[whatwg] When closing the browser

From: Bil Corry <bil@corry.biz>
Date: Fri, 12 Dec 2008 15:56:31 -0600
Message-ID: <4942DE0F.5090106@corry.biz>
Ian Hickson wrote on 12/12/2008 2:34 PM: 
> If the goal is auto-logout, then what you describe wouldn't help, as it 
> would have false-positives (leaving the site when another tab still has 
> the site open) and false-negatives (a crash wouldn't log out the user).

Well, more thought needs to go into it.  And maybe it isn't practical, I don't know.

 
> Why do session cookies not address this already?

They do to some extent.  You can choose to make the session life shorter, increasing security but potentially logging the user out before they're ready OR you can choose to make the session life longer, decreasing security but allowing the user more time.

What I see banks do is make the session life short and prompt the user to renew their session before it expires.  It could be that's the ideal way to handle it.  Or maybe it'd be better if non-persistent cookies are removed once the user no longer has an open tab to the site, instead of using a JavaScript-based solution.


- Bil
Received on Friday, 12 December 2008 13:56:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:46 UTC