search

element-hq / element-web

A glossy Matrix collaboration client for the web.
https://element.io
Apache License 2.0
10.98k stars 1.95k forks source link

Feature request: log out the session browser window is closed #25151

Open AnassDriate opened 1 year ago

AnassDriate commented 1 year ago

Steps to reproduce

Hello,

If you close the browser without signing out from your Element session, the session will still remain open. If another user uses the same browser he will be able to log in to your session/account.

This is the same as #10421 but the solution that was propose in #10421 affects all the clients (mobile, fat clients, and web), we would like to keep fat-clients always open (because they have all the encryption keys....)

The solution proposed by Enannos in #10421 sounds great work-around (even a correct solution), but the bundle.js does not contain the information mention by Enannos : 

Search into bundle.js for mx_access_token
Find localStorage.getItem("mx_access_token") and replace with sessionStorage.getItem("mx_access_token")

Outcome

For security reasons, the session should close when the user close the browser.

Operating system

No response

Application version

No response

How did you install the app?

No response

Homeserver

No response

Will you send logs?

Yes

t3chguy commented 1 year ago

This is not a defect, it works as designed. You're asking for a new feature, a mode where things are deleted on logout. Issue with that is not all web storages can be configured to expire like this. Only SessionStorage is available for that purpose, IndexedDB is also required and that cannot expire as such. And when you're closing a browser the app is not guaranteed any further time to clean up any asynchronous calls.

AnassDriate commented 1 year ago

@t3chguy Thank you for your clarification, very clear. It will be great to add/implement this feature in the future. Regards,