This is a question I have also been trying to answer (and mainly finding only posts related to disabling back button navigation or doing a check if not the most recent page in browser history then tell the browser to go forward again, which is either ineffective or degrades user experience).

Basic premise of the issue is:

1. User logs into secure application.

2. User views sensitive data.

3. User (not knowing any better) leaves browser window open (even though they may have closed the Tab that was displaying the website, or navigated to a page outside of the site).

4. User or Second User opens new tab and either:
a. uses history to return to previous page containing sensitive data, or
b. types url of login page to web app, but due to persistence of (http-only) session cookie (not accessible to client side script), is automatically returned to the logged in page of the previous user displaying sensitive data.

If it is the same user who finds themselves still logged in, this may affect their perception of site security. If it is a separate user who views this data, then in this particular application, that would be a breach of confidentality and data protection).

I checked a few different 3rd party secure sites (e.g. online bank) and so far found 2 that have solved the issue (and one that had not) - for major browsers (assuming both javascipt and cookies are available, otherwise they probably dont allow access).

I think that using a combination of a frameset, cookies set/expired appropriately by onload and onunload events on both frameset and content frame, and javascript to detect if the url causes inner frame to break out of the frameset - it is possible to acheive the desired automatic sign out while still distinguishing between initial site load and subsequent navigation within the site versus a full page reload, but I cannot yet see how to separate an F5/Refresh when the user has not left the page from a navigation away to external site and return to the original site via history or back button.

Any suggestions gratefully received..