[thwarted]

It’s also very common that a website wants credentials to be cleared when the user is inactive for a certain amount of time. This is important for sensitive applications such as banking and healthcare. Currently there’s no way to enforce that a cookie is cleared on device lock or user inactivity, especially because security requires that such cookies not be visible to JavaScript. A native session management solution should be able to request that the browser clear a session in the case of device lock, the user navigating away, etc.

No, the correct way to do this is to use the cookie to store an opaque session identifier generated at each login, then expire the session data on the server sometime after its last touch. This solves both forcing expiration and the copying/hijacking of cookie values from long-saved browser state.

[alexchamberlain]

In short, you can't rely on the client doing _anything_, especially following the protocol correctly.

[paulgb]

The proposal says that server-side expiration is still required. The ability to request that the client delete the token when the computer is locked is purely additive; if the client does not honor it, at worst you just get something equivalent to the status quo with cookies.

If the client works correctly, you get a security feature that is currently impossible with cookies (wiping the session as soon as the laptop lid closes, instead of some time after that.)

[maxloh]

It is possible currently. Just attach an `beforeunload` listener which asks the server to invalidate the current session.

[paulgb]

I just tried it (Chrome on Mac), and beforeunload is not called when I lock the machine. The MDN docs also don't suggest that it should be.

[maxloh]

For the "invalidate session on screen lock" feature, it is possible to create close enough workarounds in today's JavaScript.

https://stackoverflow.com/questions/15959244/

Bottom line, you can simply listen to mouse move events and invalidate the current session on user inactivity.

[robertlagrant]

Also note the apples to oranges comparison: enforce cookie clearance vs request browser clears session.

[8organicbits]

Surprisingly, there's several cookie-based approaches that forget to handle any sort of server-side expiration. Here's one:

https://github.com/googleapis/nodejs-firestore-session/issue...

I agree that WebSession would benefit from a time since last touched expiration, although I'll point out that a time-based approach doesn't handle the "when device is locked" requirement.

[extraduder_ire]

I've noticed reddit doesn't invalidate your cookies even if you click the logout button. There is a button in the site settings under your list of sessions, but I haven't tested that.

I noticed it because I delete site cookies often, and paste them in from a file whenever I want to comment. Occasionally click "logout" without thinking. Got creeped out by that year-in-review thing they do once.