Menu
My research indicates that, if I create a cookie and don't set the expiration date, it will expire when the browser is closed.
So I created a cookie like this:
Response.Cookies.Set(new HttpCookie("MyKey", "X"));
But when I close the browser and then reopen it, the following expression equals true:
Request.Cookies["MyKey"] != null
How can I have the cookie expire when the browser session ends?
Note: For my purposes, using static data instead of a cookie seems ideal. But my understanding is that an ASP.NET can restart for a variety of reasons, and that could pull the rug out from under the current user if I lost this setting.
467
You can extend the life of a cookie beyond the current browser session by setting an expiration date and saving the expiry date within the cookie. This can be done by setting the 'expires' attribute to a date and time.
Using cookies to do stuff Cookies without an Expires or Max-Age attribute are treated as session cookies, which means they are removed once the browser is closed. Setting a value on either Expires or Max-Age makes them permanent cookies, since they will exist until they hit their expiry date.
The browser session lasts as long as the browser is not closed by the user. Once the browser is closed, the session ends and the cookie is deleted. The next time the user wants to log into the website, they'll need to enter their information again to begin a new session.
It appears the issue is as Stober described. You can set a cookie to expire at the end of the browser session by setting the HttpCookie.Expires property to DateTime.MinDate, or not setting the property at all.
However, at least with Chrome's pick up where you left off settings, it appears that the browser session does not necessarily end when the browser closes. When closed and then reopened, the Chrome browser picks up right where it left off, as if the session never ended. This includes continuing to use cookies set expire at the end of the session.
I tried my same code on FireFox. Closing and reopening the browser caused the cookie to expire, exactly as expected.
So while there are some general rules, in the end this behavior is totally up to the browser.
76
You can catch this on the next Session_start event. If you already have an authenticated user immediately when a brand new session starts, then you must have gotten that info from a stale cookie. Just null out the user info and let Login redirects take care of the rest.
Something like this in global.asax.cs:
protected void Session_start()
{
// starting a session and already authenticated means we have an old cookie
var existingUser = System.Web.HttpContext.Current.User;
if (existingUser != null && existingUser.Identity.Name != "")
{
// clear any existing cookies
IAuthenticationManager authMgr = System.Web.HttpContext.Current.GetOwinContext().Authentication;
authMgr.SignOut("MyCookieType")
// manually clear user from HttpContext so Authorize attr works
System.Web.HttpContext.Current.User = new ClaimsPrincipal(new ClaimsIdentity());
}
}
See also:
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
