4

i have a nagging issue, which is all over the internet but i couldn't find a specific solution to my problem. Here it is:

In Chrome, you have the option to "Continue where i left off" on browser startup. This unfortunately means that all session cookies are preserved on browser close and restored or browser startup. I need my client-side (Javascript) application to kill the cookie once the browser is closed, but that doesn't happen even if i don't set up an expiry date (so the cookie becomes a session cookie, even Chrome says it expires when the browsing session ends). Problem is that Chrome never kills the browsing session even if i close the browser or reboot the computer, because of that darn startup setting.

One way is to specify an expiry date 15 minutes (or whatever) into the future. On each user action, the cookie's expiry date gets refreshed (re-create cookie). On user inactivity more than 15 minutes (or whatever) the cookie dies. I cannot afford the 15 minutes open for another person to open the browser and find himself in the previous person's session, and i can't have the current user log in after every time he goes to the loo. So i need exactly this: user logs in, cookie is set and persists exactly until the browser is closed. This is the normal behavior of a session cookie, but... (previous paragraph).

I also thought about deleting the cookie on window unload() event, but what if the application is opened in multiple tabs and the user only closes one of them? I could poll the existence of the cookie once per second, and having the cookie always saved in a Javascript variable then i could restore the cookie (if needed) once a second if the user closes another tab. This would keep the cookie alive until the last tab with my application is closed, i.e. browser quit. This is my best current solution but i hate it.

Does anybody know of another (cleaner) way to achieve the same thing? Is there some way i can specify Chrome (and/or other browsers) that i don't care about the user's startup setting, my cookie is supposed to die on browser close?

I hope i've made enough sense :)

Thank you

Teodor Sandu
  • 1,348
  • 1
  • 20
  • 31

1 Answers1

3

The whole point is that this is a user option. It is not an application option. Your application has absolutely no business attempting to work around it, and should treat the scenario as if the user really were in the same session.

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
  • I know that. In this case it actually is an application option, i just want to know how i can kill my cookie on browser close, regardless of the user's preference. Also, i don't want to instruct the user to change that browser startup setting, as he might want it for other apps like facebook, gmail and such. – Teodor Sandu Dec 04 '12 at 13:50
  • You can always try to put the expiration date of the cookie to last year. Browsers will delete your cookie because it is expired. But you can only do that to your page. – André Silva Dec 04 '12 at 13:55
  • Andre, this is offtopic in this comment thread, which should only relate to mr. LRO's answer. Please move your comment in a separate answer and i'll comment on your answer to let you know why it's wrong ;) thanks for your time though – Teodor Sandu Dec 04 '12 at 14:00
  • It's like you didn't read my answer, Mtz. I know that you are trying to bypass the user setting, and I am saying _don't_! – Lightness Races in Orbit Dec 04 '12 at 14:10
  • 2
    yeah... good luck explaining that to (some) clients ;) i'm not saying you're wrong, which is why i will accept your answer, yet sometimes clients want wrong things no matter how you try to explain it... – Teodor Sandu Dec 20 '12 at 08:48
  • @Mtz: Unless I'm starving, I reject such proposals and save the internet from another annoying website :) – Lightness Races in Orbit Dec 20 '12 at 12:21
  • @Lightness Races in Orbit: i agree, i just couldn't afford the luxury at the time – Teodor Sandu Feb 21 '13 at 08:09
  • @Mtz I know it's a very very old post, but I am into the same situation right now, Could you please explain how did u go about it? – Aman Dec 07 '17 at 13:07
  • @Aman i didn't - i simply refused to do it this way, presenting some documentation about how it works (a 5 minutes google, along with this question) - in the end the client understood that it's simply not possible *exactly* like this and we worked on the specs. There are quite a few alternatives, just look them up. Good luck :) – Teodor Sandu Dec 08 '17 at 16:34
  • @Mtz thanks for your response. I could not find any reputable source of documentation through google which proves this point. Do you have any? Thanks a ton in advance. – Aman Dec 10 '17 at 10:43
  • https://stackoverflow.com/questions/5292506/is-there-a-reliable-way-to-log-a-user-out-when-the-browser-is-closed - the heartbeat solution comes closest but it presents a scaling issue (think a lot of users, then multiply by X tabs they will typically open, and your server will get spammed with heartbeat requests). – Teodor Sandu Dec 11 '17 at 08:47
  • http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime - value of 0 means "until the browser is closed" and this holds true unless the browser doesn't clear cookies when it closes due to the "Continue where i left off" browser setting - this is clearly out of our reach, absolutely nothing we can do about it. It's the user's express choice to keep that session cookie alive even after closing the browser. – Teodor Sandu Dec 11 '17 at 08:53
  • even better: https://stackoverflow.com/questions/10617954/chrome-doesnt-delete-session-cookies – Teodor Sandu Dec 11 '17 at 08:55
  • Also, https://bugs.chromium.org/p/chromium/issues/detail?id=128513 and https://bugs.chromium.org/p/chromium/issues/detail?id=130291 provide some insight from the browser developers themselves. In conclusion, you may opt for a heartbeat or 'last action' mechanism or whatever else your client prefers. Good luck :) – Teodor Sandu Dec 11 '17 at 09:02