[whatwg] When closing the browser
ian at hixie.ch
Thu Jun 4 17:02:05 PDT 2009
On Mon, 27 Apr 2009, Tab Atkins Jr. wrote:
> On Mon, Apr 27, 2009 at 1:24 PM, Ian Hickson <ian at hixie.ch> wrote:
> > One option would be to have an attribute, say <body logout="">, which
> > causes the user agent to ping the site when the window is closed and there
> > are no other windows open to the same origin.
> > Of course this would break if the other window in question was open to a
> > different page that didn't have the logout="" attribute..
> > Maybe it should be invoked if there are no other pages open that have the
> > same logout="" attribute?
> > the browser's performance (no waiting for sync XHR, etc).
> > It would work somewhat like PING does today, though probably using POST.
> As an author, I'd definitely use it. I'd want the second option (ping
> when you close the last window with a given logout attribute), as that
> would allow me to define 'domains' within the same origin that track
> logins separately.
> It would be easy to code against the lack of this (just do an occasional
> cleanup of sessions that have aged too much, which you'd have to do
> anyway in case of nonstandard browser exits), but would allow better,
> more reliable security for users with browsers that implement it.
> currently, but @logout would make it both trivial and dependable.
On Mon, 27 Apr 2009, João Eiras wrote:
> What if there is a loss of connectivity or the user agent crashes ?
> Relying on user agent telling when documents are unloaded has never been
> reliable nor will ever be. So, websites do timeouts and will continue to
> do so because those are needed.
> This is really about making the whole logout process more friendly for
> the web developer though. I thought of exporting a service, using a
> special element or something, which the user agent could call when if
> unloads all documents related to that origin or a special token in that
> element. Like <logout specialtoken="123abcsessionid" content="/logout">
> The user agent would do a GET request of /logout when it no longer had
> documents loaded on windows with a logout tag with that specific
> specialtoken value. specialtoken (or whaever you'd like to call it)
> could be optional and in that case the user agent could rely on origin.
> This way, the server would not need to count the number of loaded
On Mon, 27 Apr 2009, Philipp Kempgen wrote:
> Maybe <link rel="logout" href="..."> is more suitable?
> Server-side applications should probably implement that in a way such
> that just one session (identified by a session cookie or whatever) gets
> logged out -- in contrast to all sessions of a user. The user might be
> logged in using 2 different browsers and might want to log out in one
> browser but keep the session active in the second one.
> And I'd probably want a same domain policy for the logout ping be
> implemented in the browser.
On Tue, 28 Apr 2009, Bil Corry wrote:
> I like the idea -- thinking out loud here, rather than invoking it when
> all pages having the same logout="" attribute are closed, can it instead
> use some other grouping identifier? That would allow a developer to
> pass back unique information from each page via the URI. And I like
> POST instead of GET. A same-origin restriction would be good too.
> Would the browser accept a response from the logout? I'm thinking that
> could be used to immediate end the cookie(s).
I like Philipp's idea of making this a new "rel" value. I encourage people
who are interested in this idea to add it to the WHATWG RelExtensions
wiki, write a spec for it (you can put it on a page on that wiki if you
like) and then see if browser vendors are interested in supporting this
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg