Session Destroy after Browser/Tab is Closed

[microjoshuagemvicente]

The feature ensures that a user's session is automatically terminated when they close their browser or tab, enhancing security and safeguarding sensitive data. Once a user logs in, a session is created, allowing them to navigate through the application seamlessly. As long as the browser or tab remains open, the session stays active.

However, when the user closes the browser or tab, the session is destroyed immediately. This ensures that any attempt to reopen the application requires the user to log in again, as the previous session is invalidated.

[sergiodxa]

If you set a cookie without expires and maxAge, that cookie is saved by the user as a session cookie.

A session cookie is only retained by the browser until it's closed, once the user close the browser (the whole browser not just the tab) then that cookie is deleted so if the user opens the browser again and visit your page it will not send that cookie anymore.

If you use createCookieSessionStorage the session data is stored in the cookie, so if you don't set an expires or maxAge it will be a session cookie and the whole session data will be destroyed along the cookie once the user close the browser.

If you use another createSessionStorage function, then the session data is stored outside the cookie, in that case I recommend you also make the cookie a session cookie, but also keep track of the last time the user used the app in your session (on every request keep the date on the session), then you can run a scheduled task or cronjob every day to check sessions that are not active anymore (how long will depend on your app but it can be an hour or a day or event months if you want) and destroy them, this way the browser will clear the cookie and you can clear your DB to avoid keeping sessions forever.