See update at end of question
In Rails 4, I understand that default sessions should exist only for a browsing session. If you close the browser, sessions should no longer exist.
However, I do not find it that way. I have a Rails 4 application using all the default values provided by Rails. I worked on some authentication code and ran into this problem.
When a user logs in, they have the option to "remember me" using the checkbox. When they check the box, the session should expire 2 weeks. The goal is that when a user logs in and closes his browser, he can open the browser again and use the application without re-authentication.
On the other hand, if the user does NOT want to check the “remember me” checkbox and enters the application and closes the browser, when the browser is opened again, the user must authenticate again because his session is “expired” when the browser is closed.
The problem is that my sessions never disappear. I checked some simple code, where on page 1 I set the session variable in the controller, and then on page 2 I displayed this session. When I close the browser and go to page 2 (and not to page 1, so the session is not established again), the session still exists, as before.
I thought sessions should expire when the browser is closed by default? I also tried this with a cookie instead of sessions and got the same result.
In short, how can I get a session / cookie that expires / dies when a user closes their browser? It doesn’t seem very safe for me to keep all sessions if the user does not want them, and I don’t want my users to delete their cookies every time they close the browser (maybe on a public computer, where their login details should ONLY persist until they close the browser).
Update I think I found something that might cause the problem. I use Chrome as my browser, and I decided to configure “remember where I left” when the browser closes and opens. This seems to save all sessions / cookies. I also checked this with Gmail. If you have “remember where I left” installed but don’t set the “remember me” token in Gmail, Gmail opens when you close / open the browser. If you tell Chrome to open a new tab open, Gmail will send you to the login page as I expect.
So, this solves one problem, but the general problem still persists. How can I make this "safe"? Let's say you are on a public computer, and the attacker forces the browser to “remember where I left off” when the browser opens. Thus, you enter the application (for example, Gmail), but do not check the "remember me" field. Therefore, when you close the browser, you expect your login to be "secure." But if another user opens a backup copy of the browser, he has already registered with your application.
Can I prevent this? If Gmail has this flaw (with an army of very smart developers), should I be worried that this situation exists?