[whatwg] When closing the browser
Philipp Serafin
phil127 at gmail.com
Sat Dec 13 06:09:40 PST 2008
Ian Hickson schrieb:
> On Fri, 12 Dec 2008, Bil Corry wrote:
>
>> Speaking of 'onbeforeunload' and 'beforeunload' -- it'd be helpful if
>> there was a way to distinguish between the user taking an action which
>> leaves the site vs. taking an action that returns to the site.
>>
>> For privacy, it shouldn't reveal which specific action triggered the
>> event, but knowing if the user is leaving the site means webapps can
>> finally auto-logout the user, which in turn greatly improves security.
>>
>
> If the goal is auto-logout, then what you describe wouldn't help, as it
> would have false-positives (leaving the site when another tab still has
> the site open)
You can solve this easily, just use the same algorithm that
SessionStorange uses to determine if the session is closed. In other
words, only set this value to true if the user closes the tab/navigates
to another domain *and* if there are no other open tabs for this domain.
> and false-negatives (a crash wouldn't log out the user).
>
I think a responsible server implementation would use this *in addition*
to session timeouts, not instead of them.
> Why do session cookies not address this already?
>
I think there are still scenarios where it would be valuable for the
server to know *exactly when* the user logged out. One example would be
those "XY is online" badges you see in many internet forums today.
Today, those have a margin of error of about 15 to 20 minutes at best.
With session cookies, if the client doesn't send more requests, the
server after all has to guess if you logged out or if you're just taking
your time. So you have to wait for a pretty long timeout period in any
case. Even if a 15 minute timeout is not so much of a problem from a
user perspective, it's still a lot of memory a (potentially buisy) has
to keep around longer than really necessary.
You can't simply "force-logout" the user inside onunload either, because
of the "false positives" above.
I believe, such an onunload parameter could fill this gap. With it, you
could simply check, if you're the last open window and if you are issue
a "logout" XHR.
More information about the whatwg
mailing list