Session destory in web

Hi all,

In my scenario when the user navigates to other domain after creating session in outsystems in the same tab, the current session should be destroyed. But it is not happening it is working as the last session is active. Is there is any way to destroy the previous session in this scenario.

Thanks in advance,

Regards

Arun 


Hi Arun,

One that will work is to do the Logout of the user.

Hi Arun. The logout action from the Users module will clear the session for you, so you would need to invoke that action before the user is redirected to the new domain.


But can I ask why do you have this requirement? Clearing the session in this way could hurt the user experience...

Imagine that the user navigated to the other domain by mistake. If the session is destroyed, that means the back button of the browser will return to the web app with a new session. Effectively, you're breaking the back button.

It's also impossible to determine if the user opened the other domain in the same tab, or in a new tab, or even copied the URL and opened the other domain in a different browser or a different device. In some of those cases, you might have no opportunity to run the logout action.


If you give some details on the reason why you need to clear the session, we might be able to give you an alternative solution.

leonardo.fernandes wrote:

Hi Arun. The logout action from the Users module will clear the session for you, so you would need to invoke that action before the user is redirected to the new domain.


But can I ask why do you have this requirement? Clearing the session in this way could hurt the user experience...

Imagine that the user navigated to the other domain by mistake. If the session is destroyed, that means the back button of the browser will return to the web app with a new session. Effectively, you're breaking the back button.

It's also impossible to determine if the user opened the other domain in the same tab, or in a new tab, or even copied the URL and opened the other domain in a different browser or a different device. In some of those cases, you might have no opportunity to run the logout action.


If you give some details on the reason why you need to clear the session, we might be able to give you an alternative solution.

Hi leonardo,

I am working in BFSI project, I have a requirement that if the users after logging in the if he navigates to another domain in same tab by entering in the url in address bar, then if he navigates back using browser back button the session should be destroyed. Is there is any way to do so?

Regards

Arun Kumar


Hi Eduardo,

Thanks for your response.

The issue is we can't set the cookie if the user navigates to other site by typing the url directly in the browser address bar. The session of the user should be logged out if it is found that the user is navigated to other site in the same tab of the browser using the browser address bar.

Regards

Arun

Hi, 

You may try to use the event (Javascript) onbeforeunload... 

It is triggered when you will leave the page. 

But it is a little limited on what you can do and it does not work the same way on all browsers, I think. 

You can also ask the browser to not cache anything in the page, if the problem is the user being able to go back to a previous state. 

Cheers

Arun, you may also have a look into the Beacon API, which allows you to send a POST request to the server when the page unloads.

However, in both scenarios (onbeforeunload as suggested by Eduardo, or Beacon API) you have no way of knowing if the page unload will result in a navigation to a different domain, or to a different web screen in your application.


Have a look on how other web sites address this, and you will find that they do not do anything special. Services like GMail, Outlook, or even online banking, do not destroy the session immediately upon the user leaving the app. What comes close to that is online banking - they usually employ a short session timeout, usually of 1 minute or 2, and if you don't interact with the web screen you get logged out automatically.

Maybe you will get a more robust solution by doing that. Either way, it's not going to be easy.