Hacker News new | ask | show | jobs
by alexchamberlain 966 days ago
In short, you can't rely on the client doing _anything_, especially following the protocol correctly.
1 comments
paulgb 966 days ago
The proposal says that server-side expiration is still required. The ability to request that the client delete the token when the computer is locked is purely additive; if the client does not honor it, at worst you just get something equivalent to the status quo with cookies.

If the client works correctly, you get a security feature that is currently impossible with cookies (wiping the session as soon as the laptop lid closes, instead of some time after that.)

link
maxloh 965 days ago
It is possible currently. Just attach an `beforeunload` listener which asks the server to invalidate the current session.
link
paulgb 965 days ago
I just tried it (Chrome on Mac), and beforeunload is not called when I lock the machine. The MDN docs also don't suggest that it should be.
link
maxloh 965 days ago
For the "invalidate session on screen lock" feature, it is possible to create close enough workarounds in today's JavaScript.

https://stackoverflow.com/questions/15959244/

Bottom line, you can simply listen to mouse move events and invalidate the current session on user inactivity.

link