undefined | Better HN

0 pointspaulgb2y ago0 comments

The proposal says that server-side expiration is still required. The ability to request that the client delete the token when the computer is locked is purely additive; if the client does not honor it, at worst you just get something equivalent to the status quo with cookies.

If the client works correctly, you get a security feature that is currently impossible with cookies (wiping the session as soon as the laptop lid closes, instead of some time after that.)

0 comments

maxloh2y ago

It is possible currently. Just attach an `beforeunload` listener which asks the server to invalidate the current session.

paulgbOP2y ago

I just tried it (Chrome on Mac), and beforeunload is not called when I lock the machine. The MDN docs also don't suggest that it should be.

maxloh2y ago

For the "invalidate session on screen lock" feature, it is possible to create close enough workarounds in today's JavaScript.

https://stackoverflow.com/questions/15959244/

Bottom line, you can simply listen to mouse move events and invalidate the current session on user inactivity.

j / k navigate · click thread line to collapse

0 pointspaulgb2y ago0 comments

If the client works correctly, you get a security feature that is currently impossible with cookies (wiping the session as soon as the laptop lid closes, instead of some time after that.)

0 comments

maxloh2y ago

It is possible currently. Just attach an `beforeunload` listener which asks the server to invalidate the current session.

paulgbOP2y ago

I just tried it (Chrome on Mac), and beforeunload is not called when I lock the machine. The MDN docs also don't suggest that it should be.

maxloh2y ago

For the "invalidate session on screen lock" feature, it is possible to create close enough workarounds in today's JavaScript.

https://stackoverflow.com/questions/15959244/

Bottom line, you can simply listen to mouse move events and invalidate the current session on user inactivity.

j / k navigate · click thread line to collapse