Is it possible to configure an app so that users are automatically logged out when they close the browser window – without having to click a “Logout” link or button?
Here I’m making an assumption that you have a logout button with the default logout icon. Also, if your login page also has a logout link it will go in a loop and never log them in.
I’d recommend your login page not have a logout menu button, rather redirect the login to another page after a successful login.
I ask because I’m wondering: if a user does NOT click the Logout button and instead just closes the browser window (or tab), what happens to the user’s session? This interests me because I’ve noticed that, if I simply close the window/tab, I can also just return to the app by going back to URL (say, by clicking the bookmark I have for it in my browser’s favorites bar). And boom! I’m back in – no login required.
That is not necessarily a bad thing. I think my users will be grateful if they can get back in easily if they close the tab accidentally or have a computer glitch that disconnects them or whatever.
But how long is this behavior good for? For example, say user has logged into a database on a shared computer. Anna logs in, does some work, then just closes the browser tab and walks away. Along comes Bob, who has an evil heart. He looks at Anna’s browser history, opens the link for the Tadabase app she was working in – and darned, he’s in!
How big is Bob’s window of opportunity? I thought Anna’s session would be killed on the server after the app auto-logout time has passed (Settings > App Security Settings). But at least in my informal testing, that doesn’t seem to be the case.
Here's how I tested....
- In the backend, I set the auto logout period to 1 minute, saved that change, switched back to the Data Builder.
- Opened another window (in Edge/Chromium) and logged into the app.
- Closed that window (without clicking Logout).
- Waiting five minutes (just to be sure).
- Opened new window, typed URL of the app and hit enter.
And darned, I got right back in – no need for me to reauthenticate.
I agree - for major security purposes if a browser is closed it should terminate the active user session and force a re-login.
I haven’t tested this but you may be able to accomplish this through the app settings > “App Security Settings” > toggle “App Auto Logout” then set a low timeframe of inactivity that would log them out.
However, this would mean that anytime there was X amount of inactivity it would log the user out; not just when they close the browser and don’t open a new session.
Just a thought,
In response to @SafetyUniversity …
Adam, thanks, but yes, I have tried that. (See my earlier post, under the hidden details triangle.)
But as far as I am able to tell, the auto-logout setting simply doesn’t work. I just tested it again.
- In my main browser (Edge Chromium), in my developer account for Tadabase, I set the auto-logout period for an app to 5 minutes.
- I logged into the app as a user in another browser (Vivaldi).
- I switched away from that second browser so it went into the background.
- On my phone I set a timer for 10 minutes.
When the timer went off, I switched back to Vivaldi. I was hoping to find a screen saying “You have been logged out for inactivity” – but I didn’t. App was still logged in and active.
Can anybody telling me if I’m doing anything wrong here?