32

I'm using session-based cookies with my website. To my complete surprise, I noticed if I set a session cookie (not a persistent cookie), close a tab, and then reconnect to the site, the session cookies are still there. That's not what I would have expected, actually. I would have expected the session cookies to be deleted.

If you close the browser, a session cookie is deleted, so why not closing a tab to have the same result?

Therefore, I'm using PHP5 and jQuery. Is there anything I can do such that when a tab is closed I can fix this session issue? Unfortunately the onbeforeunload event on the BODY tag is not useful here because when you click away from a page it fires that event, not just closing a tab.

Rahul Gupta-Iwasaki
  • 1,683
  • 2
  • 21
  • 39

5 Answers5

24

The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes sense. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site.

I'm not aware off hand of any real way around this.

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
Paul Alexander
  • 31,970
  • 14
  • 96
  • 151
  • Paul, see my comment to Sander below that begins, "The problem here..." –  Apr 30 '09 at 08:35
  • 2
    In such circumstances, the tab closing isn't the main issue. It's controlling the expiration of the session more actively. You'll want to implement some sort of activity timeout on the client in JS that automatically logs out after no user activity. You'll find this type of behavior on most banking sites. – Paul Alexander Apr 30 '09 at 09:13
  • Paul, you are right. I slept on the issue and that's the course of action I plan to take. Now to put in another stackoverflow question on the most optimal way to implement that. –  Apr 30 '09 at 15:27
  • 1
    I think if someone figures out the cross-platform hack/kludge to detect with 90% accuracy that a tab has just been closed versus closing a page any other way, they will become a hero on the web. –  Apr 30 '09 at 15:51
8

This is by design and trying to change it is a very bad idea. What if a user opens a link in a new tab and closes that? Should the session in the original tab be destroyed? Of course not! This demonstrates why you should not even think about this.

A session ends when the last browser window closes. If you want something else, you:

  1. do not want sessions;
  2. need to make your own "mini-session" infrastructure;
  3. are probably in for a world of hurt and bugs.
Sander
  • 25,685
  • 3
  • 53
  • 85
  • 5
    The problem here is a public environment, like a library, and someone's online profile with identity info inside. I need to come up with a solution. –  Apr 30 '09 at 08:35
  • Nevertheless, it seems like you have a few good answers to this question, and should pick one of them as the correct answer. Perhaps you want to also start a new question? – bignose Apr 30 '09 at 09:18
  • 1
    It is wrong to assume that opening a new tab and destroying the previous tab session is a bad idea. This idea actually proves to be good for sites that would want extra security, for users to not mess with logging in again and triggering certain apis. And they could serve for better UI. So no, and if Stackoverflow grants me extra voting power, I will vote this answer up to negative. – tnkh Oct 12 '20 at 10:43
7

Session web storage can be used instead of cookies if you need to depend on tab closure.

Lexera
  • 71
  • 1
  • 1
  • 2
    I think this is the most helpful answer, along with what is explained in the accepted answer. Yes you can do what you seem to be wanting to do, just use Session Storage. For more info see https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage – Panu Logic Jan 12 '20 at 18:44
3

You can also write a javascript that detects when a tab is closed and delete the cookie in the javascript

junkam
  • 47
  • 1
2

I found a work around.

I'm working in ASP.NET C#. I have a Master Page for all the pages of the site except for the Login page. In the Master Page Sever Page Load event I get the Url of the referring page and check if it contains the root of the the site, if not I redirect to the Login page and since it doesn't have that Master Page it displays.

This works if I try to get to a page from another site or if I enter the Url to the address box of the browser. So if you close the tab and you try to reenter from another tab or reopen the tab, even tho the cookie hasn't been killed you can't reenter the site without going thru Login. This works also even if you haven't closed the tab and your navigating between different sites in the same tab.

This is the code

   if (Request.UrlReferrer == null || !Request.UrlReferrer.AbsoluteUri.ToString().Contains("root"))
        {
            Response.Redirect("~/Account/Login.aspx");
        }

When navigating from within the site there's no problem even if you open a link to another page in the site to another tab it opens.

If you want to be additionally sure you can kill the session and authentication cookie in that if clause before redircting to the Login page.

This won't work when a user navigated to another site in the same tab and presses the browsers back to button because that works on cache and doesn't automatically send a request to the server.

So this doesn't kill the session or authentication cookie on closing the tab, but it can help prevent reentering the site without logging in after closing the tab.

Dov Miller
  • 1,958
  • 5
  • 34
  • 46