The never ending browser sessions

tl;dr;

The concept of session memory is not valid anymore in today’s browsers. Even sessionStorage is not cleared after closing the tab. It’s easily revived when clicking on “Reopen closed tab”. That might seem as a bug – not if you look at the spec which is rather permissive, maybe too much.

So what’s the problem really?

Imagine you login to your bank website from a trusted 3rd party computer.
When you’re done, you simply click the X button to close the site assuming that you’re session will be done. This used to be true for many years, since it was common for critical websites like banks to store the authentication token in a session-cookie.
And session cookies, as the name implies are gone when the session is gone. The problem is that with tab browsing, and browsers running in the background that session might end long time after you clicked on the X.
This means that most of the time, anyone accessing that computer after you, will be able to continue where you left – logged in as you.

sessionStorage to the rescue? – not really

So if session-cookies are not good enough, what about that shiny sessionStorage?
It’s isolated per tab and cleared when that tab is closed.
It must be good – you click the X and it’s gone.
Well almost…
In Chrome and Firefox the session storage is easily revived with right click and “Reopen closed tab” and “Undo close tab” respectively.

This strange and unexpected behavior of the sessionStorage is still complying with the spec which is somewhat over permissive:
“The lifetime of a browsing context can be unrelated to the lifetime of the actual user agent process itself, as the user agent may support resuming sessions after a restart.”

We can argue whether this is a bug or not, but it’s definitely a bad feature and should be mitigated. We should have real session storage which we can trust to be cleared when we click on the “X”. Without unreliable tricks like onbeforeunload and alike.

Here’s a demo, close the tab and reopen it with “Reopen closed tab”  – the sessionStorage will be revived.

While Chrome and FireFox are acting badly and revive the sessionStorage, Safari and IE11 don’t revive it and are the safer browsers in that regard.

Bottom line

As a user, always always logout manually, never rely on just closing the tab or the browser.

As a developer, the only way to create real sessions that are gone when the user closes the tab is to keep anything critical in the memory and only in the memory. I’ve written more about it with examples in here.

Guy A

Read more posts by this author.