W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2009

[whatwg] When closing the browser

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 27 Apr 2009 18:24:42 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0904271821280.12381@hixie.dreamhostps.com>
On Mon, 27 Apr 2009, Bil Corry wrote:
> Ian Hickson wrote on 4/24/2009 6:36 PM: 
> >>>
> >>> Why do session cookies not address this already?
> >>
> >> I think there are still scenarios where it would be valuable for the 
> >> server to know *exactly when* the user logged out. One example would 
> >> be those "XY is online" badges you see in many internet forums today. 
> >> Today, those have a margin of error of about 15 to 20 minutes at 
> >> best.
> > 
> > In my own experience, closing the page is not a good indicator of when 
> > I've "logged out". I often have tabs open that I'm not planning on 
> > returning to, and I often close tabs only to reopen them shortly 
> > after. I see the same behaviour with others. So it's not clear to me 
> > that this would really improve matters.
> 
> I think it's important to note that some web applications may choose to 
> constrain users more tightly to improve security (such as when forcing 
> the user to choose a stronger password than they would normally choose).  
> So while you may not consider leaving the page as "logging out," your 
> bank may choose to interpret it differently, especially if they 
> determine that most of their users never use the "log out" feature on 
> the site.

True...

One option would be to have an attribute, say <body logout="">, which 
causes the user agent to ping the site when the window is closed and there 
are no other windows open to the same origin.

Of course this would break if the other window in question was open to a 
different page that didn't have the logout="" attribute..

Maybe it should be invoked if there are no other pages open that have the 
same logout="" attribute?

This has the advantage of not depending on JavaScript, and not affecting 
the browser's performance (no waiting for sync XHR, etc).

It would work somewhat like PING does today, though probably using POST.

Opinions?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 27 April 2009 11:24:42 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:11 UTC