I'm developing a web application and using server session to control access to the application, this session should be terminated when the user logs out of the application, when closing all the tabs of the application or when it closes the browser. >
I would like to know which best practices for this type of control?
In .NET, I usually save the Authorization information in Encrypted Cookie. In cookies you can set expiration date, and from time to time renew / rewrite Cookie.
You can do an event-oriented schedule. The click event of the Logout button, the Aba close event, and the Browser close event, all of which can rewrite or put a validity in the Cookie past, thus, you condition your code to force the login screen entry every time the cookie is expired.
To ensure the least security, consider using Cookie content with encrypted values.
