[whatwg] When closing the browser

Calogero Alex Baldacchino alex.baldacchino at email.it
Sat Dec 13 09:31:36 PST 2008

Ian Hickson ha scritto:
> On Fri, 12 Dec 2008, Bil Corry wrote:
>> Speaking of 'onbeforeunload' and 'beforeunload' -- it'd be helpful if 
>> there was a way to distinguish between the user taking an action which 
>> leaves the site vs. taking an action that returns to the site.
>> For privacy, it shouldn't reveal which specific action triggered the 
>> event, but knowing if the user is leaving the site means webapps can 
>> finally auto-logout the user, which in turn greatly improves security.
> If the goal is auto-logout, then what you describe wouldn't help, as it 
> would have false-positives (leaving the site when another tab still has 
> the site open)

As well as any tab-restricted session data, if not aware of other 
tabs/windows (as Philipp Serafin suggested, whatever is done to make a 
tab aware of other tabs with the same domain, can be done for an 
attribute telling wheter the user is leaving a certain domain).

>  and false-negatives (a crash wouldn't log out the user).

Which may affect persistent cookies, but can be a concern for any 
solution, when it comes with cookie theft (that is, some communication 
with the server may be needed, beside the use of cookies or anything 
else, and such may fail because of a crash).

> Why do session cookies not address this already?

Both session and persistent cookies may address this (with the concern 
of false negatives, specially for persistent cookies, but not only). 
Both need to be enabled in a browser to work (usually they are, session 
cookies most of times). Both may fail alone (that is, if an immediate 
invalidation of login data is required - this is a side, related issue).

If the goal is auto-logout *as soon as the user leaves the site*, 
whenever the downside of a possible new login request during the same 
session is not a usability concern, a (session) cookie lifetime must be 
shortened, for instance by adding an expiration timing (e.g., for a 
session cookie, something like 'sessionID=asdf1234fdas.exp=<current gmt 
date + 3 seconds>;'), this way if the user reloads the page or navigates 
a tab history the server will likely recieve such modified cookie before 
its 'expiration' and abort  an atuo-logout process (a cached webapp may 
check cookies as well), otherwise, whenever recieving an 'expired' 
cookie, the logout would trigger immediately; if the client-side script 
knew the user is leaving the site, any cookie might be removed.

But such wouldn't solve the server-side logout concern: to invalidate 
any login data, in the above scenario an expired cookie must be 
recieved, thus possibly giving a cookie thief a longer time to work. Of 
course, there are solutions to address that. A first one may consist of 
telling the server to trigger a delayed logout process, waiting for a 
cookie before timing out (in this case, there might not be any need to 
modify cookies, though such might be done as well, e.g. with a random 
value communicated to the server in order to prevent an attacker from 
using a stolen cookie - or to mitigate the effectiveness of a cookie 
theft). Nontheless, such a solution may fail because of a crash, thus a 
server-side timeout may be preferred (even just setting a date value 
after which any recieved cookie is no more valid); a more complex 
scenario may involve both a server timeout, a client-side-triggered 
logout (for immediate logout), and bidirectional communications (to 
reset any timeout and eventually to update cookies).

The above won't prevent false positives; a further cookie might be used 
as a counter to be incremented by any loaded page and decreased by any 
left page, delegating effective logout to the last page (unless a 
server-side timeout-only solution were preferred, but such wouldn't 
address the 'immediate auto-logout' goal we started from).

All fine, although based on the assumption at least session cookies are 
avalaible, which is true most of times, and, when false (a 
privacy-paranoid user?), just telling the user he needs to enable 
cookies works. However, a kind of "DOM-only" alternative, not bothering 
the user to change his privacy settings and perhaps a bit easier to 
handle (script-side) than cookies in some cases, might be appreciable: 
an attribute telling when the site is about to be left during current 
session, and cross-windows messaging, with some blessed origin checking, 
when some cooperation is needed (e.g. to tell a widget inside an iframe 
to keep logged in, or to share a secret ID with pages from the same domain).

Best regards,

 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
 CheBanca! La prima banca che ti dà gli interessi in anticipo.
* Fino al 4,70% sul Conto Deposito, zero spese e interessi subito. Aprilo!
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=7918&d=13-12

More information about the whatwg mailing list