should I expect user being signed out from web app on browser close or computer shutdown? [closed]

I am testing a web application currently under development. I delliberatelly omit to press the 'Sign out' menu button. Instead, I do one of the following actions: close the browser tab with that application close the browser shutdown/restart the PC In all 3 scenarios, when I re-enter the url of the application, I find myself already logged in. (of course, when closing a tab, I felt more natural, but after PC restart I felt intrigued to find myself still logged in) I've tested and found that other platforms exibit the same behaviour: gmail, outlook, stackoverflow, github, gitlab - all keep their users logged in even after PC restart. My main concern is security: I am worried that the user might go to a public location and sign in on a shared PC. After he leaves, somebody else inspecting the browser's history might enter the application on behalf of that user. 1. Is it acceptable that I mark this behaviour as a bug, and still demand that a browser close or a PC restart would sign out the user ? What possible alternatives do I have ? So far, I've found only one: sign out the user after an ammount of time of innactivity on the website. (actually, I also thought of a feature like 'Sign me out on from all locations', but it feels difficult to implement and I would rather ignore this option for now)

Mar 17, 2025 - 12:34
 0
should I expect user being signed out from web app on browser close or computer shutdown? [closed]

I am testing a web application currently under development. I delliberatelly omit to press the 'Sign out' menu button. Instead, I do one of the following actions:

  1. close the browser tab with that application
  2. close the browser
  3. shutdown/restart the PC

In all 3 scenarios, when I re-enter the url of the application, I find myself already logged in. (of course, when closing a tab, I felt more natural, but after PC restart I felt intrigued to find myself still logged in)

I've tested and found that other platforms exibit the same behaviour: gmail, outlook, stackoverflow, github, gitlab - all keep their users logged in even after PC restart.

My main concern is security: I am worried that the user might go to a public location and sign in on a shared PC. After he leaves, somebody else inspecting the browser's history might enter the application on behalf of that user.

1. Is it acceptable that I mark this behaviour as a bug, and still demand that a browser close or a PC restart would sign out the user ?

  1. What possible alternatives do I have ? So far, I've found only one: sign out the user after an ammount of time of innactivity on the website. (actually, I also thought of a feature like 'Sign me out on from all locations', but it feels difficult to implement and I would rather ignore this option for now)