should I expect user being signed out from web app on browser close or computer shutdown? [closed]
I am testing a web application currently under development. I delliberatelly omit to press the 'Sign out' menu button. Instead, I do one of the following actions: close the browser tab with that application close the browser shutdown/restart the PC In all 3 scenarios, when I re-enter the url of the application, I find myself already logged in. (of course, when closing a tab, I felt more natural, but after PC restart I felt intrigued to find myself still logged in) I've tested and found that other platforms exibit the same behaviour: gmail, outlook, stackoverflow, github, gitlab - all keep their users logged in even after PC restart. My main concern is security: I am worried that the user might go to a public location and sign in on a shared PC. After he leaves, somebody else inspecting the browser's history might enter the application on behalf of that user. 1. Is it acceptable that I mark this behaviour as a bug, and still demand that a browser close or a PC restart would sign out the user ? What possible alternatives do I have ? So far, I've found only one: sign out the user after an ammount of time of innactivity on the website. (actually, I also thought of a feature like 'Sign me out on from all locations', but it feels difficult to implement and I would rather ignore this option for now)
![should I expect user being signed out from web app on browser close or computer shutdown? [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
I am testing a web application currently under development. I delliberatelly omit to press the 'Sign out' menu button. Instead, I do one of the following actions:
- close the browser tab with that application
- close the browser
- shutdown/restart the PC
In all 3 scenarios, when I re-enter the url of the application, I find myself already logged in. (of course, when closing a tab, I felt more natural, but after PC restart I felt intrigued to find myself still logged in)
I've tested and found that other platforms exibit the same behaviour: gmail, outlook, stackoverflow, github, gitlab - all keep their users logged in even after PC restart.
My main concern is security: I am worried that the user might go to a public location and sign in on a shared PC. After he leaves, somebody else inspecting the browser's history might enter the application on behalf of that user.
1. Is it acceptable that I mark this behaviour as a bug, and still demand that a browser close or a PC restart would sign out the user ?
- What possible alternatives do I have ? So far, I've found only one: sign out the user after an ammount of time of innactivity on the website. (actually, I also thought of a feature like 'Sign me out on from all locations', but it feels difficult to implement and I would rather ignore this option for now)