W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2008

[whatwg] When closing the browser

From: Philipp Serafin <phil127@gmail.com>
Date: Sat, 13 Dec 2008 15:09:40 +0100
Message-ID: <4943C224.3000204@gmail.com>
Ian Hickson schrieb:
> On Fri, 12 Dec 2008, Bil Corry wrote:
>   
>> Speaking of 'onbeforeunload' and 'beforeunload' -- it'd be helpful if 
>> there was a way to distinguish between the user taking an action which 
>> leaves the site vs. taking an action that returns to the site.
>>
>> For privacy, it shouldn't reveal which specific action triggered the 
>> event, but knowing if the user is leaving the site means webapps can 
>> finally auto-logout the user, which in turn greatly improves security.
>>     
>
> If the goal is auto-logout, then what you describe wouldn't help, as it 
> would have false-positives (leaving the site when another tab still has 
> the site open) 
You can solve this easily, just use the same algorithm that 
SessionStorange uses to determine if the session is closed. In other 
words, only set this value to true if the user closes the tab/navigates 
to another domain *and* if there are no other open tabs for this domain.
> and false-negatives (a crash wouldn't log out the user).
>   
I think a responsible server implementation would use this *in addition* 
to session timeouts, not instead of them.
> Why do session cookies not address this already?
>   
I think there are still scenarios where it would be valuable for the 
server to know *exactly when* the user logged out. One example would be 
those "XY is online" badges you see in many internet forums today. 
Today, those have a margin of error of about 15 to 20 minutes at best.
With session cookies, if the client doesn't send more requests, the 
server after all has to guess if you logged out or if you're just taking 
your time. So you have to wait for a pretty long timeout period in any 
case. Even if a 15 minute timeout is not so much of a problem from a 
user perspective, it's still a lot of memory a (potentially buisy) has 
to keep around longer than really necessary.
You can't simply "force-logout" the user inside onunload either, because 
of the "false positives" above.

I believe, such an onunload parameter could fill this gap. With it, you 
could simply check, if you're the last open window and if you are issue 
a "logout" XHR.
Received on Saturday, 13 December 2008 06:09:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:46 UTC