Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to deal with the exit account when js closes the browser". The explanation in the article is simple and clear and easy to learn and understand. please follow the editor's train of thought to study and learn how to exit the account when js closes the browser.

Classic practice

As we all know, for the sake of account security, when a user does not actively click to log out of the system, directly close the browser or tab to force the exit of the system:

/ / call logout API _ window.onbeforeunload = function () {/ / execute logout ajax call when it is closed. Simple example $.ajax ({url: "/ logout"});}; problem

There is a serious problem with this method, which will cause the logout to be called when the page is refreshed. Many systems must support refreshing the page to maintain the session. How to deal with it?

There is no solution, but it works:

/ / call the logout API _ window.onbeforeunload = function () {/ / execute the logout ajax call when it is closed, pass in a flag and tell the backend to delay the logout of $.ajax ({url: "/ logout"}, data: {delay:true});}

Background logout interface according to the delay flag, set timer, delay logout, for example, set 5-second timer, 5 seconds before the real logout of the application system session.

At the same time, after the front-end page is loaded, immediately call an API to clear the logout, tell the background to delete the delayed logout timer, and make sure that the previous logout operation is abandoned when the page is refreshed, so as to maintain the application session.

Further questions

How much delay is reliable when the background timer is set? Of course, you want to be as short as possible, because you can ensure that the user closes the browser and reopens the page so as not to re-maintain the session, such as setting a 5-second timer in the background, the user closes the browser, and the interval between reopening the page is as long as it is more than 5 seconds. the session will not resume, ensuring that you re-enter the landing page. Of course, if the user's hand speed is too high and the page is reopened within 5 seconds, the user will successfully enter the previous session, which will not cause a serious problem, because it is impossible for a malicious user to use the computer the user left and open the page very quickly.

And? How many seconds of delay should be set? This depends on when the clean delay logout timer is called when the front-end code loads the page, and the key point is that the sooner the better.

How can it be earlier? Of course, you need to put this call in the code as early as possible on the home page, such as:

/ / to call the clear delay logout timer as soon as possible, use the original XMLHttpRequest mode to call var xhr = new XMLHttpRequest (); if (xhr) {xhr.open ("POST",'/ clearlogout', true); xhr.send ();}.

After the above processing, under normal network conditions, the refresh page operation can ensure that the time interval between calling delayed logout and clearing delayed logout is very short. Generally speaking, 5 seconds is a more reasonable delay value.

The use of this mechanism can be based on preferences, such as whether you want to be more secure or more sure to refresh the experience, to extend or shorten the delay to invoke timers.

Need to pay attention to the problem

Obviously, the above mechanism must rely on the back-end two-tier session mechanism, because the premise is that refresh page session persistence must be supported first, so the surface layer is the session of the web framework itself, and the inner layer is the application layer session. The surface layer session depends on cookie, and the inner layer application session depends on the background caching mechanism or database.

Thank you for your reading, the above is the content of "how to deal with the exit account when js closes the browser". After the study of this article, I believe you have a deeper understanding of how to deal with the exit account when js closes the browser, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.