Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I log a user out when they close their browser or tab in ASP.NET MVC?

I need to sign out a user when the user closed the tab or browser, how do I do that in ASP.NET MVC?

like image 620
RandomUser Avatar asked May 13 '14 13:05

RandomUser


People also ask

How to automatically logout when close the browser in ASP net?

You can take use of JavaScript, basically you need to catch browser close[X] event. call javascript "onbeforeunload" event, which will check if Browser[X] event fired. if browser is closed by user then redirect the program execution to logout page.

How do I close a user session when browser is closed?

we can find the tab/browser close event in javascript using " window. onbeforeunload " & " window. onunload " events. you just need to call the logout action from javascript by clicking on logout icon.


1 Answers

There are a few things you can do to make sure the user is signed out when the browser is closed, but it depends on how you're setting the FormsAuthentication cookie:

  1. Use Cookieless=True.
  2. Set a FormsAuthenticationTicket to not be persistent
  3. Use FormsAuthentication.SetAuthCookie to set Persistence to false
  4. Use a JavaScript approach to remove the cookie on window.unload.

Cookieless=True approach:

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="/Account/Login"
           protection="All"
           cookieless="true" //set to true   
  </authentication>
</system.web>

This appends the cookie value to the querystring in each request. The problem with this approach is it's not very secure and it messes with SEO. If a user sends anyone the URL they're using, that person can log in as the original user (probably not what you want). As far as 'messing with SEO', it causes the same page to look different to a googlebot based on what URL is passed in. Each QueryString change makes it a new URL, and if anyone uses this for posting a link; it will dilute the search results for a given actual URL.

FormsAuthenticationTicket Approach

When you set an Authentication cookie for the user, set Persistent to False.

If you're doing this in the FormsAuthentication.SetAuthCookie, this is default. If you use the FormsAuthenticationTicket class, you have to specify the cookie expiration.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,                   //version
    "blah",              //Cookie Name 

);

FormsAuthentication.SetAuthCookie() Approach

By default, if you don't set persistent, the authentication cookie will expire at the end of the session (when the user closes the browser).

FormsAuthentication.SetAuthCookie("CookieValue", false); //second argument is persistent'

JavaScript approach:

There are no foolproof methods; all you can do is set the cookie expiration date to before now and hope the user's browser co-operates. If you really, really, really, want the cookie gone, you can always try a JavaScript approach, but that won't work if the user has JavaScript disabled.

window.addEventListener('unload', function(event) {
   document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
});

Other caveats

It also matters which browser you use. Chrome has the ability to run in the background, and that keeps Session Cookies around until their timeout is hit -- they are not dropped when the browser is closed (I found this out the hard way).

like image 83
George Stocker Avatar answered Sep 23 '22 00:09

George Stocker