How Come Closing A Tab Doesn't Close A Session Cookie?

Question

I'm using session-based cookies with my website. To my complete surprise, I noticed if I set a session cookie (not a persistent cookie), close a tab, and then reconnect to the site, the session cookies are still there. That's not what I would have expected, actually. I would have expected the session cookies to be deleted.

If you close the browser, a session cookie is deleted, so why not closing a tab to have the same result?

Therefore, I'm using PHP5 and jQuery. Is there anything I can do such that when a tab is closed I can fix this session issue? Unfortunately the onbeforeunload event on the BODY tag is not useful here because when you click away from a page it fires that event, not just closing a tab.

Answer 1

This is by design and trying to change it is a very bad idea. What if a user opens a link in a new tab and closes that? Should the session in the original tab be destroyed? Of course not! This demonstrates why you should not even think about this.

A session ends when the last browser window closes. If you want something else, you:

1. do not want sessions;
2. need to make your own "mini-session" infrastructure;
3. are probably in for a world of hurt and bugs.

Answer 2

My guess is that it depends on the actual browser. Chrome uses different processes per tab, so I doubt that session cookies will survive between different tabs.

Answer 3

The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes since. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site.

I'm not aware off hand of any real way around this.