I can see on the forum several people asked, and were told long ago, that there is no logout button, they should just "close their browser".
I just visited my HFS server in IE11 (Win8.1), opening a new tab to do so. I finished with my session, so I closed the tab as indicated by the info pages on HFS. In theory if it's stateless and just using HTTP header information, that information should have all been lost when I close the tab. But that isn't what happened. I opened a new tab and retyped the server URL "fresh", and it returned me to the logged-in page immediately.
1) Where is the login-state information that I am seeing, after closing the tab and in a fresh tab retyping the URL, coming from? Is there some other persistent mechanism at play that needs some different kind of logout process?
2) Most browsers by default auto-preserve session data in case of crash, or if the user may wish to undo the close action in this or a subsequent session. As it's unlikely that HFS will be the only tab in use, and one cannot easily verify whether session data is always deleted, does this mean that someone else can retype the URL or reopen the last closed tab, and will find state is auto-restored for it, in many cases? If that's likely, then what precautions are needed in addition to closing the tab, to ensure the server session cannot be resumed by simply CTRL-T "undo close tab" or "restore last session"?
3) Can the server distinguish between an open but idle session (the browser is open, requests would be valid but are not being "clicked") and a closed one (the browser has been closed or the computer or link have crashed, requests should not be valid unless logged in again)? If not then it's hard to know what to set for a login that should be left open indefinitely but with login required upon each new session.
Any help on these appreciated, thanks
