Bear Bibeault wrote:Why on earth would you want to expire the session just because the user refreshed the window?
I have seen some internet banking sites doing that. If you click on the refresh button/ back button of the browser a message is displayed saying that "because of security reasons back and refresh are disabled" and you will be automatically logged out of the site. I did not understand the reason for that though. Are back and refresh a threat to security in a secure web-app??