6
I am developing a web application and using server session to control access to the application, this session should be terminated when the user logs off the application, when to close all tabs of the same or when he closes the browser.
I would like to know, what are the best practices for this type of control?
Why are you using session? For your case Formsauthentication is a good.
– PauloHDSousa
Because we use Intersystems Caché technology and its web framework CSP (Caché Server Pages), so all user access control has been developed on top of the session features it has.
– Lucas Boeing Scarduelli
This technology was created for this kind of thing, user control per session doesn’t seem cool.
– PauloHDSousa
On . NET, I usually store the Authorization information in a coded Cookie. You can set an expiration date, and from time to time renew/rewrite the Cookie. You can make an Event-oriented schedule. The Logout button click event, the Tab closing event and the Browser closing event, everyone can rewrite or put an validity in the past of the Cookie, so Windows conditions your code to force login screen entry every time the cookie is expired. To ensure minimum security, consider using the Cookie with encoded values.
– Fabio Kfouri
In your opinion what would be the best approach?
– Lucas Boeing Scarduelli
You did not specify the language you are working on, but in PHP when you use SESSIONS as soon as you delete the browser they destroy themselves but you can use session_destroy() at logout. Using the cookie even when closing the browser the user remains logged in, which in my view is not very safe depending on the application! widely used in shopping carts.
– João pedro