[whatwg] When closing the browser

Martin Atkins mart at degeneration.co.uk
Fri Dec 12 15:37:29 PST 2008

Ian Hickson wrote:
> On Fri, 12 Dec 2008, Bil Corry wrote:
>> Or maybe it'd be better if non-persistent cookies are removed once the 
>> user no longer has an open tab to the site, instead of using a 
>> JavaScript-based solution.
> This could be done now; I recommend bringing this up with browser vendors 
> as a feature request.

I'm not sure this is as easy as it first appears. For example, consider 
the following case:

* I have a single tab on site1 and I have a session cookie with them.
* I navigate from a page on site1 to site2 and site2 replaces site1 in 
my single tab.
* I navigate from site2 back to site1.

Have I now lost my session cookie?

This scenario is particularly important for technologies that use 
redirects to exchange data between domains, such as OpenID.

Many OpenID implementations (for better or worse) use session cookies to 
retain state while they do the OpenID transaction, which involves 
redirecting the user away from your site to a URL on the provider's 
domain. If implemented exactly as stated, the session cookie would 
presumably be deleted during the OpenID transaction and the original 
site will break.

More information about the whatwg mailing list