Background:
Most browsers have implemented some form of "Session Restore" functionality as a convenience to users where, if enabled, session cookies will be persisted across browser restarts.
- Firefox has "Show my windows and tabs from last time"
- Chrome has "Continue where you left off"
The browser vendors have a defensible position for keeping these features. This puts the onus on users to configure their browsers "correctly" and/or manually log out of the sites before quitting the browser.
Question:
For a site that provides access to highly sensitive data AND is used in shared computing environments, what are the best practices for guaranteeing that a session is destroyed when the browser is closed?
Possible ideas include:
- Listening for
onbeforeunloadevents or similar and counting the number of open windows or tabs. When the count goes to 0, send a message to the server to invalidate the session. This seems problematic, due to: a) cross browser event-handling quirks, and b) navigation away from the site, intentional or accidental, would be treated the same as closing the last tab or window. - Implementing a "heartbeat" in the client code that once absent for a period of time invalidates the server session. This also seems challenging due to: a) network latency possibly causing false-positive logouts, and b) some browsers suspending JavaScript code for backgrounded tabs (or applications on mobile).
Are there any other approaches that are reliable across the various web platforms? What are the highest-security websites currently doing in this space?
Aucun commentaire:
Enregistrer un commentaire