referrer

I have researched this but have been unsuccessful. I have a site that I
bring up in a tab on my IE browser. I log in which sets a session variable.
If I then kill that tab, open a new tab and bring up the site again, I am
still logged in. If I open a new browser instead, then I am not logged on.

I would like to be logged out if I kill the tab. I tried with the referer
(why is it spelled this way? It should be referrer), but it was empty for
both the new session and the new tab.

How can I determine that this is a new session for the tab as well as the
new browser?

Re: referrer

On Wed, 17 Oct 2007 23:25:06 +0200, coder wrote:

> I have researched this but have been unsuccessful. I have a site that I
> bring up in a tab on my IE browser. I log in which sets a session
> variable.
> If I then kill that tab, open a new tab and bring up the site again, I am
> still logged in. If I open a new browser instead, then I am not logged
> on.
>
> I would like to be logged out if I kill the tab. I tried with the
> referer
> (why is it spelled this way? It should be referrer),

Historical reasons. Once it was out there it was to late to change it or
something.

> but it was empty for
> both the new session and the new tab.

'Referer' shouldn't be used for anything having to do with being logged
in/out and authentication as a whole. It's user supplied, unreliable, and
often even stripped/blocked by firewall or UA settings.

> How can I determine that this is a new session for the tab as well as the
> new browser?

You can't.

A session by default uses a cookie with a lifetime of 0, which to modern
UA's would mean 'until the browser is closed'. There is no convention to
inform the browser to delete the sessioncookie on a tab close. The only
way it will sort of work (unreliably) is to use some onunload event with
javascript. This will do you no good though, and isn't even worth a minute
of your time trying to implement it.

What is your actual problem/goal for having this kind of behaviour? Maybe
we suggest an alternate solution to your problem.
--
Rik Wasmus

Re: referrer

>I have researched this but have been unsuccessful. I have a site that I
>bring up in a tab on my IE browser. I log in which sets a session variable.
>If I then kill that tab, open a new tab and bring up the site again, I am
>still logged in. If I open a new browser instead, then I am not logged on.

Tabs on the same browser have the same set of cookies, which means
they have the same session (at least that's my observation in IE).

>I would like to be logged out if I kill the tab.

If you ask really, really nice (with huge trainloads of money),
Microsoft might change this in Service Pack 86 of IE. But I doubt
it. Or you might find a registry key you can tweak to get that
behavior: on your browser only.

Note that giving each tab their own bucket of cookies probably means
that every new tab is logged out of everything, and that might break
the way some existing sites work (anything that (a) opens a new tab
and (b) requires you to be logged in to view the new tab would
likely break). Functions like "remember my login" would only work
on individual tabs. Is that really how it should work?

>I tried with the referer
>(why is it spelled this way? It should be referrer), but it was empty for
>both the new session and the new tab.

Referer won't tell you what tab something came from. It's also trivially
easy to fake.

>How can I determine that this is a new session for the tab as well as the
>new browser?

Switch browsers? I think there's a browser that DOES give a different
bucket of cookies to each tab. Opera perhaps?

Re: referrer

On Thu, 18 Oct 2007 00:58:37 +0200, Gordon Burditt
wrote:
>> How can I determine that this is a new session for the tab as well as
>> the
>> new browser?
>
> Switch browsers? I think there's a browser that DOES give a different
> bucket of cookies to each tab. Opera perhaps?

Thank god no :)
Even if a browser has something like this, the logic for handling frames
and popups (well, both kinda evil) would be hell.
--
Rik Wasmus

Re: referrer

..oO(Gordon Burditt)

>Switch browsers? I think there's a browser that DOES give a different
>bucket of cookies to each tab.

Hopefully not. As you said a bit earlier - it would break many sites.

>Opera perhaps?

No, Opera works correctly.

Micha

Re: referrer

"Rik Wasmus" wrote in message
news:op.t0c2j2i45bnjuv@metallium.lan...
> On Wed, 17 Oct 2007 23:25:06 +0200, coder wrote:
>
>> I have researched this but have been unsuccessful. I have a site that I
>> bring up in a tab on my IE browser. I log in which sets a session
>> variable.
>> If I then kill that tab, open a new tab and bring up the site again, I am
>> still logged in. If I open a new browser instead, then I am not logged
>> on.
>>
>> I would like to be logged out if I kill the tab. I tried with the
>> referer
>> (why is it spelled this way? It should be referrer),
>
> Historical reasons. Once it was out there it was to late to change it or
> something.
>
>> but it was empty for
>> both the new session and the new tab.
>
> 'Referer' shouldn't be used for anything having to do with being logged
> in/out and authentication as a whole. It's user supplied, unreliable, and
> often even stripped/blocked by firewall or UA settings.
>
>> How can I determine that this is a new session for the tab as well as the
>> new browser?
>
> You can't.
>
> A session by default uses a cookie with a lifetime of 0, which to modern
> UA's would mean 'until the browser is closed'. There is no convention to
> inform the browser to delete the sessioncookie on a tab close. The only
> way it will sort of work (unreliably) is to use some onunload event with
> javascript. This will do you no good though, and isn't even worth a minute
> of your time trying to implement it.
>
> What is your actual problem/goal for having this kind of behaviour? Maybe
> we suggest an alternate solution to your problem.
> --
> Rik Wasmus

Thank you Rik. I'll live with it this way.

Re: referrer

"Rik Wasmus" wrote in message
news:op.t0c2j2i45bnjuv@metallium.lan...
> On Wed, 17 Oct 2007 23:25:06 +0200, coder wrote:
>
>> I have researched this but have been unsuccessful. I have a site that I
>> bring up in a tab on my IE browser. I log in which sets a session
>> variable.
>> If I then kill that tab, open a new tab and bring up the site again, I am
>> still logged in. If I open a new browser instead, then I am not logged
>> on.
>>
>> I would like to be logged out if I kill the tab. I tried with the
>> referer
>> (why is it spelled this way? It should be referrer),
>
> Historical reasons. Once it was out there it was to late to change it or
> something.
>
>> but it was empty for
>> both the new session and the new tab.
>
> 'Referer' shouldn't be used for anything having to do with being logged
> in/out and authentication as a whole. It's user supplied, unreliable, and
> often even stripped/blocked by firewall or UA settings.
>
>> How can I determine that this is a new session for the tab as well as the
>> new browser?
>
> You can't.
>
> A session by default uses a cookie with a lifetime of 0, which to modern
> UA's would mean 'until the browser is closed'. There is no convention to
> inform the browser to delete the sessioncookie on a tab close. The only
> way it will sort of work (unreliably) is to use some onunload event with
> javascript. This will do you no good though, and isn't even worth a minute
> of your time trying to implement it.
>
> What is your actual problem/goal for having this kind of behaviour? Maybe
> we suggest an alternate solution to your problem.
> --
> Rik Wasmus

Thank you Rik. I'll live with it this way.