[owasp-intrinsic-security] Logging Out

Bil Corry bil at corry.biz
Tue Nov 11 21:10:50 EST 2008

Jim Manico wrote on 11/11/2008 3:44 PM: 
> From an intrinsic point of view, one easy suggestion would be to
> encourage all JavaScript implementors to support a complete
> BROWSER-CLOSE event: an event that fires only when the final instance of
> a browser is closed. This will let the programmer easily trap when to
> send an ajax logout event back to the server to force a real logout.

If I'm following you, that would catch the scenario where a user is using a site, then closes their browser when finished.  But it wouldn't help for other scenarios where the user simply closes the tab, or navigates to a new location using the same tab, etc.

So the question becomes, how do you know when a user is finished with a site?

(1) Closes the browser
(2) Closes the tab
(3) Navigates away from the site using the address bar (or bookmark, etc)
(4) Navigates away from the site using the history (back button)
(5) Navigates away from the site following an external link

In all cases, it may be the user intends to return to the site, so I'm wondering if a new paradigm is needed, one where a site can elect to be pinned to a single tab; that is, a tab can only serve pages from one site -- you can't navigate to another site from the tab, and external links are opened in new tabs.  This would solve the issue of the user going back in history to another site.  Then the only two events we have to watch for are closing the browser and closing the tab, and for those, we will need a new JavaScript event.  As for frames within pinned tabs, I'd imagine the JS event would trigger when the page containing the frame is closed or navigated away.

- Bil

More information about the owasp-intrinsic-security mailing list