Security trick: encourage closing the browser

Portlet Factory, Version 6.1.2

Security trick: encourage closing the browser

Closing the browser window would not be acceptable behavior for most public web sites, as users typically browse from one site to another. But in many cases with IBM® WebSphere Portlet Factory, you are building sensitive/secure web applications, not web sites. And sensitive web applications should be treated differently for business/security reasons.
When possible, your sensitive applications logout page should include JavaScript that attempts to close the browser window after logging the user out. The browser will typically prompt the user (via a popup dialog) if they really want to do that. In most cases the user will have a chance to decide not to close the browser if they need to continue to use that same browser process for other work. But displaying this popup makes it more likely that a user will not leave the browser window open with possible cached (in memory) data, dynamic session/security cookies and possible HTTP Basic Auth credentials stored in memory.
Here is some sample JavaScript that you can use. Remember to test it in your environment and for the types/versions of browsers you intend to support before relying on it. This particular JavaScript function relies on a hidden form input to determine whether to close the window, since the page it came from was used for other purposes, not just as a logout page. The if (window._LOGOUT_CLOSE_WINDOW) statement can be removed if you do not need to use the page for multiple purposes.
<script> function _LOGOUT_closeWindow() if(window._LOGOUT_CLOSE_WINDOW == "true") window.close(); _LOGOUT_closeWindow() </script>

Parent topic: Overview: security methodologies

Library | Support |