[whatwg] When closing the browser
Martin Atkins
mart at degeneration.co.uk
Fri Dec 12 15:37:29 PST 2008
Ian Hickson wrote:
> On Fri, 12 Dec 2008, Bil Corry wrote:
>
>> Or maybe it'd be better if non-persistent cookies are removed once the
>> user no longer has an open tab to the site, instead of using a
>> JavaScript-based solution.
>
> This could be done now; I recommend bringing this up with browser vendors
> as a feature request.
>
I'm not sure this is as easy as it first appears. For example, consider
the following case:
* I have a single tab on site1 and I have a session cookie with them.
* I navigate from a page on site1 to site2 and site2 replaces site1 in
my single tab.
* I navigate from site2 back to site1.
Have I now lost my session cookie?
This scenario is particularly important for technologies that use
redirects to exchange data between domains, such as OpenID.
Many OpenID implementations (for better or worse) use session cookies to
retain state while they do the OpenID transaction, which involves
redirecting the user away from your site to a URL on the provider's
domain. If implemented exactly as stated, the session cookie would
presumably be deleted during the OpenID transaction and the original
site will break.
More information about the whatwg
mailing list