Session cookies do not retain any information on your device or send information from your device. These cookies are deleted when the session expires or is terminated when the browser window is closed.
The solution is to delete the cookie from the server, which will require an HTTP request before the tab is closed. Most JS libraries will use asynchronous HTTP requests, which will cause the tab to be closed before receiving the expired cookie from the server, so asynchronous calls will not work reliably.
Cookies have nothing to do with tabs or windows -- they have to do with requests to a domain. Whenever the browser makes a request to a webserver for a domain, any cookies that it has for that domain will be sent in the request header.
Description ¶ session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes sense. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site.
I'm not aware off hand of any real way around this.
This is by design and trying to change it is a very bad idea. What if a user opens a link in a new tab and closes that? Should the session in the original tab be destroyed? Of course not! This demonstrates why you should not even think about this.
A session ends when the last browser window closes. If you want something else, you:
Session web storage can be used instead of cookies if you need to depend on tab closure.
You can also write a javascript that detects when a tab is closed and delete the cookie in the javascript
I found a work around.
I'm working in ASP.NET
C#
. I have a Master Page
for all the pages of the site except for the Login
page. In the Master Page
Sever Page Load event
I get the Url
of the referring page and check if it contains the root of the the site, if not I redirect to the Login
page and since it doesn't have that Master Page
it displays.
This works if I try to get to a page from another site or if I enter the Url
to the address box of the browser. So if you close the tab and you try to reenter from another tab or reopen the tab, even tho the cookie hasn't been killed you can't reenter the site without going thru Login
. This works also even if you haven't closed the tab and your navigating between different sites in the same tab.
This is the code
if (Request.UrlReferrer == null || !Request.UrlReferrer.AbsoluteUri.ToString().Contains("root"))
{
Response.Redirect("~/Account/Login.aspx");
}
When navigating from within the site there's no problem even if you open a link to another page in the site to another tab it opens.
If you want to be additionally sure you can kill the session and authentication cookie in that if
clause before redircting to the Login
page.
This won't work when a user navigated to another site in the same tab and presses the browsers back to
button because that works on cache and doesn't automatically send a request to the server.
So this doesn't kill the session or authentication cookie on closing the tab, but it can help prevent reentering the site without logging in after closing the tab.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With