Meteor clearing local storage on browser window close

[android developer]

Hi,

1) Logged into a meteor app using username and password

2) Close the window while user is logged in

3) Open another window, user is still logged in

Requirement:

User should be logged out and a sign in page should display

How can I achieve clearing local storage on closing browser window in meteor?

[Gabriel Pugliese]

localStorage.clear() will remove everything from Meteor

Just type localStorage and you will see the hash with your token etc.

The real problem is clearing that on browser close. You can try put this code anywhere on client:

window.onbeforeunload = function() {
  localStorage.clear();
  return '';
};

Gabriel Pugliese
CodersTV.com
@coderstv

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dave Workman]

I think in the "validateLoginAttempt" method the parameter "methodName" is "resume" if the user is logging in with a login token. You could just return false to not allow login token logins, thus not needing to clear local storage. Docs:

http://docs.meteor.com/#accounts_validateloginattempt

Security stuff like this should always be done on the server. Never the client.

[Gabriel Pugliese]

Nice, Dave. Much better :)

But why is that a security concern?

Gabriel Pugliese
CodersTV.com
@coderstv

[Andrew Mao]

Because the client can just modify the code to not run that method to clear local storage (in your case `window.onbeforeunload = null`) and get around it.

[Gabriel Pugliese]

Well, so it's not really a security issue, then :) Except you are clearing tokens due to security concerns, then I agree.

If it's just to an UX issue, then it's not.

Gabriel Pugliese
CodersTV.com
@coderstv

[android developer]

Hi Gabriel Pugliese,

Thanks for the solution.By implementing this, local storage will be cleared in refresh also. How can I avoid this?

Thanks

Sumi

[Anzel Lai]

just curious, window.onbeforeunload will clear your localstorage even if you just refresh your page.
i dont think this is what you want though

[Gabriel Pugliese]

True

Best solution would be able to switch between sessionStorage and localStorage.

Gabriel Pugliese
CodersTV.com
@coderstv

On Wed, Jul 23, 2014 at 4:22 PM, Anzel Lai <anze...@gmail.com> wrote:

just curious, window.onbeforeunload will clear your localstorage even if you just refresh your page.
i dont think this is what you want though

[Dave Workman]

But why is that a security concern?

I don't see a use case where someone would want this behaviour where the reason isn't for security. Along with what Andrew said about the user modifying the code to not clear local storage, there's also the chance the browser or OS crashes/restarts. Maybe I'm missing something but why would you want your users to have to log in every time they visit your page but have multiple loophole around it if they're smart enough?

 

[Gabriel Pugliese]

Have you tried Dave's suggestion?