P.S. Freeing one's *session* on leaving works with any type of
authentication and makes sense in many cases -- it's just harder to
communicate this concept to the user...
Jess Holle wrote:
In most applications this is one of those *perceived* problems that
corporate users get uptight about.
The best way to prevent abuse of an idle authenticated browser window
is a screensaver with password lock -- as it protects the rest of the
computer, the documents thereon, etc.
The only really good case for a logout is where you have a shared
computer with many different users coming and going -- and all using a
single "guest" account on the client itself rather than separate
logins. In this case a "logoff" button that closed down the browser
would not be a half bad idea :-)
--
Jess Holle
P.S. Yes, I know transfering the name/password only on initial
authentication and using a session key of some sort from thereon out
is fractionally more secure -- but you still need HTTPS to really be
secure in either case.