Session must be invalidated from the server end if the browser gets closed.
how we can implement this?
Find image for your reference:
1.Closing the browser without logging out
2.Session does not get terminated when opening the browser
You can configure your browser to delete all cookies when you close it. The server has no way of knowing that you closed the browser.
A different approach (used in online banking) would be to invalidate a session after a certain period of inactivity. The client would request a new auth cookie every minute and if a cookie is older than, say, 15 minutes, it becomes invalid.