Ben Nadel has a pretty good discussion of it. I th...
# cfml-general
Ben Nadel has a pretty good discussion of it. I think you'll have to do a structclear and delete the relevant cookies.
I think @fmdano is trying to figure out how to do that when the browser or tab is closed.
@larryclyons That is what I saw in Ben's article that the session stays....and yes @Myka Forrest I am trying to see if there is a way when the user clicks the X to close the browser if we can clear the session....
Session only cookies perhaps.
Trying to intercept browser close is a special level of madness. Instead ask the client to explain why they're perfectly ok with there being data in memory on the server so long as the browser is open, even if the user has left for the day or is outside smoking a cigarette. Yet, if the browser windows closes, some magical threshold has been reached where it's no longer ok to have this data in memory.
There's probably not any data in session that isn't also in the database, and it's not like you drop the DB when the user closes their window, lol
Narrowing the attack surface for session highjacking attacks is likely the source of their concern, but (assuming you've taken appropriate caution) the likelihood of a session highjack happening is no different depending on whether the browser is open or not (in fact, if anything it's LESS likely). That's an arbitrary and irrelevant line to draw IMO.