Let's say you set a timer in your browser on page load which will send a request to the server after X min of inactivity to invalidate the session. User can disable client side scripts. Or make sure your application does not have concurrent requests. Is it really so unreasonable to start doing something in your web browser, walk away for an hour -- maybe even for a few hours -- then come back and expect things to just work? This is usually stored in a database of some kind, keyed by your session identifier. Please feel free to post any easier way to destroy a particular session.