[owasp-intrinsic-security] Logging Out
bil at corry.biz
Tue Nov 11 21:10:50 EST 2008
Jim Manico wrote on 11/11/2008 3:44 PM:
> From an intrinsic point of view, one easy suggestion would be to
> BROWSER-CLOSE event: an event that fires only when the final instance of
> a browser is closed. This will let the programmer easily trap when to
> send an ajax logout event back to the server to force a real logout.
If I'm following you, that would catch the scenario where a user is using a site, then closes their browser when finished. But it wouldn't help for other scenarios where the user simply closes the tab, or navigates to a new location using the same tab, etc.
So the question becomes, how do you know when a user is finished with a site?
(1) Closes the browser
(2) Closes the tab
(3) Navigates away from the site using the address bar (or bookmark, etc)
(4) Navigates away from the site using the history (back button)
(5) Navigates away from the site following an external link
More information about the owasp-intrinsic-security