If the developer says so, he coded it. He has surely set a cookie, a
phpsessionid, or whatever, valid just for a session (in short yes it's
possible to do it).
Hard to say if he did what he pretended to do, without more information.

But if you have any doubt, why not just checking by yourself?

Login, close the browser, restart, try to get acces to the webapp
without logging in again, and check wether he's right.

--
viers

test.future (at) gmail (dot) com [email concealed] wrote:

>We have a web applicaiton which do not have logoff button. The developer claims that it is unnecessary, since the session can be terminated by closing the browser. Is it correct? Thanks.
>
>-----------------------------------------------------------------------
--
>Sponsored by: Watchfire
>
>The Twelve Most Common Application-level Hack Attacks
>Hackers continue to add billions to the cost of doing business online
>despite security executives' efforts to prevent malicious attacks. This
>whitepaper identifies the most common methods of attacks that we have seen,
>and outlines a guideline for developing secure web applications.
>Download this whitepaper today!
>
>https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9
r
>-----------------------------------------------------------------------
---
>
>
>
>
>

------------------------------------------------------------------------
-
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r

------------------------------------------------------------------------
--

[ reply ]