Solved

How do I kill a session when closing a tab without logging off?

Posted on 2014-12-18
18
107 Views
Last Modified: 2016-05-13
Have a web app open with sensitive data in a browser tab.  The user closes the tab without logging off of the application.  The browser is still open with other tabs.  I can go onto another tab and select "reopen closed tabs" & my sensitive data is returned to me with the session still live.

We've tried the below suggestions, however, this is not working as needed.

http://stackoverflow.com/questions/1921941/close-kill-the-session-when-the-browser-or-tab-is-closed

http://stackoverflow.com/questions/19582615/end-session-on-browser-tab-close?answertab=active#tab-top

http://forums.asp.net/t/1527772.aspx?Kill+session+whether+user+closes+tab+or+closes+browser

http://yuvrajingale.wordpress.com/2013/01/23/how-to-destroy-session-when-users-close-the-browser-tab-in-php/
0
Comment
Question by:srtindall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2
18 Comments
 
LVL 51

Expert Comment

by:Huseyin KAHRAMAN
ID: 40507696
on close show a message and force user to click logout!
0
 
LVL 51

Expert Comment

by:Huseyin KAHRAMAN
ID: 40507699
or like this

$(window).unload(function() {
    var answer=confirm("Are you sure you want to leave?");
if(answer){
    //ajax call here -- call your logout.aspx
    }
});


or just call logout...

$(window).unload(function() {
    //ajax call here -- call your logout.aspx
    }
});
0
 
LVL 6

Expert Comment

by:ajeab
ID: 40507704
for IE
try
setting --> Advanced --> under Browsing section, uncheck "reuse windows for launching shortcut" ,

under Security section "donot save encrypted pages to disk" check
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 51

Expert Comment

by:Huseyin KAHRAMAN
ID: 40507714
ajeab, this is webapp and author wants to control this...
not trying to force all users do some changes to their browsers, which is not possible...
0
 

Author Comment

by:srtindall
ID: 40507751
This code works when closing the browser window, but doesn't work on closing just the tab.

Any solutions for closing the tab with the browser window staying open?
0
 
LVL 51

Accepted Solution

by:
Huseyin KAHRAMAN earned 250 total points
ID: 40507781
beforeunload maybe:

<script>
window.addEventListener("beforeunload", function (e) {
  alert("really");
  var confirmationMessage = "sure";

  (e || window.event).returnValue = confirmationMessage; //Gecko + IE
  return confirmationMessage;                            //Webkit, Safari, Chrome
});
</script>

Open in new window


tested with chrome & IE, working fine.... i mean it is firing the event... so u can do a ajax call here...
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 40507791
It's how browsers work, Hain gave you a possible solution but there is no guarantee it will fire. Developers have been trying for a long to time to 100% successfully fire code when the tab/browser is closed.

Apart from that it's a bad idea anyway - what if I open a link in a new tab and close the old tab or the new one - then you kill my session and I lose everything.
0
 
LVL 51

Expert Comment

by:Huseyin KAHRAMAN
ID: 40507800
+1 Gary

Apart from that it's a bad idea anyway - what if I open a link in a new tab and close the old tab or the new one - then you kill my session and I lose everything.

sometimes i duplicate a page and close one randomly later :) if you implement such thing, i will get really mad...
0
 
LVL 51

Expert Comment

by:Huseyin KAHRAMAN
ID: 40507816
just did a test with my bank site...

logged in, duplicated page (my accounts), closed randomly one of them... no issues... they work fine...

Then i copied url and closed all bank sites (tabs) and opened a new tab, and pasted the url

voila! page is there!...

summary: put a warning on your page, saying

BEWARE!!! Just do not close the site! use LOGOUT! or else your data may be stolen (public computers)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40508707
What are you trying to protect against? Someone establishes a session, I guess https is used. If he closes the browser, the session is gone. If he closes only the tab, it is not gone, that's it.
So you fear that he closes the tab and leaves his computer unattended and unlocked afterwards? He should lock his computer.
0
 

Author Comment

by:srtindall
ID: 40509757
Thanks for the Beware comment, already working down that path.

Not sure I get the "it's a bad idea"

I'm trying to protect PHI data.  Can't control if the end user locks his/her computer, especially on a public computer.
0
 
LVL 51

Expert Comment

by:Huseyin KAHRAMAN
ID: 40510137
even the big banks do not do such thing, so why worry? educate your users...
also, keep your session timeout short (5 min for example) instead of default (15-20 min)
0
 
LVL 58

Expert Comment

by:Gary
ID: 40510303
The best thing you can do is adopt a 10 minute session (Hain says 5 minutes, I think that is too short - I know I could spend 10 minutes looking through a statement)
And here is the biggie no "Remember me".
If people are stupid enough to use a public computer and not do a complete log out well you can't fix stupid.

If someone want's to do anything other than look at things, say change the password then you ask them to enter the password again - this can eliminate the kind of hacking I think you are trying to prevent.  It's an hassle but is quite widely implemented where you are transferring money, changing the password etc to prevent any possibility of someone else using the account.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40510685
"I'm trying to protect PHI data.  Can't control if the end user locks his/her computer, especially on a public computer" - and you are sure this type of data may even be viewed on public computers? No matter how the login/logout is managed, the data is already at risk when you use an untrusted machine to view it.
You should limit the ability of viewing the data to managed computers only that have a lockscreen policy enforced. If you make it viewable from anywhere, you are at fault already. The login info could get compromised easily, screenshots could be taken, anything.
0
 
LVL 6

Expert Comment

by:ajeab
ID: 40510889
I'm in similar situation as your.  my EHR using IE only and lot of setting has to be done.  that is why I'm now evaluate visual app (citrix xenapp, 2x, vmview)  this way you will be sure that IE session do not remain on remote computer. but it's not cheap.  you will need at minimum RDS server,  RDS client license, and couple of VMs for gateway.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41584372
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 7 Networking - Public vs. Work vs Public 8 50
SOC, SIEM, IPS and FW 4 51
How does ADMT SID History work? 1 44
TLS 1.0 & Windows 7 - How to disable? 16 119
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
The purpose of this video is to demonstrate how to manually back up a WordPress Database. This will be demonstrated using a Windows 8 PC. The Host used will be IPage.com Log into your Hosting account. IPage will be used for demonstration : Locat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question