Well:<BR>User A sits down at a computer in a 'net cafe. They log into your web application and modify a news item (you have a content management system, for example).<BR>They don't log off. Your system still treats that user/computer as correctly "logged in".<BR>User A leaves.<BR>User B sits down at the same computer and hits the same web page (they saw the other user doing something interesting). Your system still thinks that it's the SAME user. It treats them as authenticated. They can modify anything the last user could.<BR><BR>And that's just a simple example. The same's true of most applications - Email, Newsgroups, internal systems...<BR><BR>Craig.
Technically, the browser SHOULD give the user another session. But that's a "SHOULD". There's no guarantee that it WILL.<BR><BR>Plus, because the session is still actually ACTIVE on your system, user B could just find the Session ID of user A in the cookies on the system and create a HTTP request to "fool" your server into letting him in.<BR><BR>How much extra effort is it going to be to add a "logoff" button which simply points to a page which does a session.abandon?<BR><BR>Craig.