how to clear devise session on browser close?

Question

I am using 'devise' for password authentication in my ruby on rails app. Once I successfully login and I close my browser and open a new browser window I am still logged in. Lets say I am using Chrome, I close all instances of chrome and then open a new one. I am still logged in. The same is the case when I am doing IE and Firefox too.

I would assume on close of window and opening a new window should establish a new session between the server and the browser isn't it? If not how do I achieve that?

i used tried doing clicking on logout button on browser window's onbeforeunload event, but it does not works as it logout of application on any form submit or link click.

window.onbeforeunload = function() {
  $('#logout_cls').click();
};

and tried sending AJAX request to the sessions controller destroy action for clearing the session.

  jQuery(window).bind(
    "close",
    function(event) {
          $.ajax({
            type: 'DELETE',
            dataType: 'json',
            url: $('#logout_cls').attr('href')
          });
    });

but all this did not work.

Answer 1

Turns out that the problem was how my session_store was configured.

MyApp::Application.config.session_store :active_record_store, 
{:key => '_my_app_session', :secret => '5xb5x1g92e965b95b16e49x79gxx9999', :expire_after => 2.hours}

I removed the options and the issue was solved.

I have another question though and that is removing options does it have any potential risks? I am not storing any important data in the session obviously but putting in data I wouldn't want exposed.

My app would be going live in a few days it would be very helpful to get an answer for this. I googled things for an hour or so but didn't have too much luck.

Thanks

Answer 2

That is actually a feature. Facebook and pretty much all sites with authentication do it through the use of cookies.

Devise's option Rememberable "manages generating and clearing a token for remembering the user from a saved cookie". If you don't want that, then remove the remember_token string and remember_created_at datetime from your user model and remove the Remember Me button from your login page.