js handles account logout when closing the browser

Classic approach

As we all know, for the sake of account security, when the user does not actively click to log out of the system, the method of directly closing the browser or tab to force log out of the system is:

//Call the logout interface when closing window.onbeforeunload = function() {
 //Execute the logout ajax call, simple example $.ajax({url:"/logout"});
};

question

This method has serious problems. It will cause logout to be called when refreshing the page. Many systems must support refreshing the page to maintain the session. How to deal with it?

There is no solution, but it works:

//Call the logout interface when closing window.onbeforeunload = function() {
 //Execute the logout ajax call, pass in the flag, and tell the backend to delay the logout$.ajax({url:"/logout"},data:{delay:true});
};

The background logout interface sets a timer according to the delay flag to delay logout. For example, if a 5-second timer is set, the application system session will be actually logged out after 5 seconds.

At the same time, after the front-end page is loaded, a clear logout interface should be called immediately to tell the background to delete the delayed logout timer to ensure that the previous logout operation is abandoned when the page is refreshed to maintain the application session.

Further questions

How much delay is reliable for background timer? Of course, we hope that the shorter the better, because this ensures that after the user closes the browser and reopens the page, the session will not be restored. For example, a 5-second timer is set in the background. As long as the interval between the user closing the browser and reopening the page is greater than 5 seconds, the session will not be restored, ensuring that the user re-enters the login page. Of course, if the user's hand speed is too high and the page is reopened within 5 seconds, the previous session will be successfully entered. Of course, this will not cause serious problems, because a malicious user cannot use the computer that the user left and open the page very quickly.

Then what? How many seconds of delay should be set? This depends on when the front-end code calls to clear the delayed logout timer when loading the page. The key point is that the sooner the better.
How about sooner? Of course, you need to put this call in the code as early as possible on the home page, for example:

<html manifest="">
 <head>
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta charset="UTF-8">
  <meta http-equiv="Pragma" content="no-cache">
  <meta http-equiv="Cache-Control" content="no-cache">
  <meta http-equiv="Expires" content="0">
  
  <script type="text/javascript">
   //In order to call and clear the delayed logout timer as soon as possible, use the original XMLHttpRequest method to call var xhr = new XMLHttpRequest();
   if (xhr) {
    xhr.open("POST", '/clearlogout', true);
    xhr.send();
   }
  </script>

  ......

After the above processing, under normal network conditions, the refresh page operation can ensure that the time interval between calling the delayed logout and clearing the delayed logout is very short. Generally speaking, 5 seconds is a more reasonable delay value.
This mechanism can be used to decide whether to extend or shorten the delay call timer based on preferences, such as whether you want to be safer or want to ensure a more refresh experience.

Issues that need attention

Obviously, the above mechanism must rely on the backend two-layer session mechanism, because the premise is that it must first support the refresh page session retention, so the surface layer is the session of the web framework itself, and the inner layer is the application layer session. Surface sessions rely on cookies, while inner application sessions rely on background cache mechanisms or databases

This is the end of this article about how to log out of an account when closing the browser using js. For more information about how to log out of an account when closing the browser using js, please search for previous articles on 123WORDPRESS.COM or continue browsing the following related articles. I hope you will support 123WORDPRESS.COM in the future!