1. Tab in browser, say I have 3 tabs open, launch my applicaiton then close tab, i'm able to open the secured page without reauthenticate.
I think if we close the tab, not close the whole browser, the cookie will not expires(supose we do not set the cookie expire time).
According to your web.config setting, cookie will expire atfer 30 minutes as default. So the web site will call you reauthenticate after 30 minutes.
And as we know, cookie is like a container that store the encryption FormsAuthenticationTicket. Asp.net use machine key to encrypt FormsAuthenticationTicket.
this machine key is random generate when the application start.
So what I mean is that you need to close the whole web browser, then you can reauthenticate.
jgn1013
If I click my logout page, which had FormsAuthentication.clear()
Use FormsAuthentication.SignOut() when click the logout button. It will remove cookies and tickets.
Is there another way then? Maybe not use cookie because I can't control what a user does and the only way to get then FormsAuth..SignOut() is have them click a logout link.
What is the particular problem you're trying to solve here? "I need to log a user out when he closes a browser tab" isn't a problem; it's a means to an end. Why
do you need to log the user out when he closes the tab? If you back up to the original problem, perhaps we'll all find another way to solve it.
In general, browsers store temporary cookies (including the ASP.NET FormsAuthentication cookie) for the entire lifetime of the browser process. Since closing a tab doesn't kill the browser process itself, the temporary cookie sticks around until the browser
is fully closed. So if within the same browser process you open a new tab and visit your web site, the browser will send the temporary cookie to the site. This isn't a flaw or a failure; this is just how cookies work.
Given this, depending on your actual problem, there might be a better solution for you and your customers. Hence the request for more information.
The problems is "when a user closes a tab, in a browser session after being authenticated" it doesn't log out or kill the FormsAuthentication cookie.The reason is for security reasons, while not a critical as say Banking or Credit Card sites I would like
it to act the same way. Maybe I shouldn't be using cookies, are there other ways, suggestions? Thanks
I think it is hard for us to monitor client behaivor 100% accurately.
One method is use javascript and ajax to call a server method or a page when the page is close.We can use window.onunload = function(){call servermethod}.
But these method can not catch the quit of user when user browser close unnormally like kill the process of browser, shut down PC...
If you do need to control user login status for some security reasons(bank site or credit business deal), I think you could consider preventing a user to open a aspx page(which should be authenticated before visit).
jgn1013
Member
78 Points
45 Posts
Close Tab doesn't logout
Aug 27, 2010 12:33 AM|LINK
When closing my tab, Formsauthentication doesn't clear, thanks!
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { if (Classes.CStaticDataAccess.AuthenticateUser(Login1.UserName, Login1.Password)) { FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, Login1.UserName, DateTime.Now, DateTime.Now.AddMinutes(1), false, ""); string secureTicket = FormsAuthentication.Encrypt(ticket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, secureTicket); Response.Cookies.Add(authCookie); string redirectUrl = FormsAuthentication.GetRedirectUrl(Login1.UserName, false); HttpContext.Current.Response.Redirect(redirectUrl); // System.Web.Security.FormsAuthentication.SetAuthCookie(Login1.UserName, false); e.Authenticated = true; } else { e.Authenticated = false; } }
<authentication mode="Forms"> <forms name=".ASPXFORMSAUTH" loginUrl="~/Ware2Login.aspx" protection="All" timeout="30" path="/" ></forms> </authentication> <authorization> <deny users="?"/> </authorization>
forms authenication close tab
thuhue
All-Star
15625 Points
3146 Posts
Re: Close Tab doesn't logout
Aug 27, 2010 12:41 AM|LINK
Please elaborate on "When closing my tab, Formsauthentication doesn't clear".
jgn1013
Member
78 Points
45 Posts
Re: Close Tab doesn't logout
Aug 27, 2010 12:46 AM|LINK
Sorry, should have been more clear.
1. Tab in browser, say I have 3 tabs open, launch my applicaiton then close tab, i'm able to open the secured page without reauthenticate.
2. If I click my logout page, which had FormsAuthentication.clear() then close browser tab, I then need to login in again.
thuhue
All-Star
15625 Points
3146 Posts
Re: Close Tab doesn't logout
Aug 27, 2010 01:02 AM|LINK
Look here:
http://forums.asp.net/p/1168107/2373849.aspx
jgn1013
Member
78 Points
45 Posts
Re: Close Tab doesn't logout
Aug 27, 2010 01:38 AM|LINK
<asp:LoginView ID="LoginView1" runat="server"> <LoggedInTemplate> <asp:LoginStatus ID="LoginStatus1" runat="server" LogoutText=""> </asp:LoginStatus> </LoggedInTemplate> </asp:LoginView>Still doesn't work, what am I doing wrong?
Zizhuoye Che...
All-Star
21927 Points
1915 Posts
Microsoft
Re: Close Tab doesn't logout
Sep 01, 2010 06:55 AM|LINK
Hi,
I think if we close the tab, not close the whole browser, the cookie will not expires(supose we do not set the cookie expire time).
According to your web.config setting, cookie will expire atfer 30 minutes as default. So the web site will call you reauthenticate after 30 minutes.
And as we know, cookie is like a container that store the encryption FormsAuthenticationTicket. Asp.net use machine key to encrypt FormsAuthenticationTicket.
this machine key is random generate when the application start.
So what I mean is that you need to close the whole web browser, then you can reauthenticate.
Use FormsAuthentication.SignOut() when click the logout button. It will remove cookies and tickets.
Hope this is clear for you.
If you have any feedback about my replies, please contact msdnmg@microsoft.com
Microsoft One Code Framework
jgn1013
Member
78 Points
45 Posts
Re: Close Tab doesn't logout
Sep 01, 2010 11:27 AM|LINK
Is there another way then? Maybe not use cookie because I can't control what a user does and the only way to get then FormsAuth..SignOut() is have them click a logout link.
levib
Star
7636 Points
1092 Posts
AspNetTeam
Re: Close Tab doesn't logout
Sep 01, 2010 07:58 PM|LINK
What is the particular problem you're trying to solve here? "I need to log a user out when he closes a browser tab" isn't a problem; it's a means to an end. Why do you need to log the user out when he closes the tab? If you back up to the original problem, perhaps we'll all find another way to solve it.
In general, browsers store temporary cookies (including the ASP.NET FormsAuthentication cookie) for the entire lifetime of the browser process. Since closing a tab doesn't kill the browser process itself, the temporary cookie sticks around until the browser is fully closed. So if within the same browser process you open a new tab and visit your web site, the browser will send the temporary cookie to the site. This isn't a flaw or a failure; this is just how cookies work.
Given this, depending on your actual problem, there might be a better solution for you and your customers. Hence the request for more information.
jgn1013
Member
78 Points
45 Posts
Re: Close Tab doesn't logout
Sep 01, 2010 08:16 PM|LINK
The problems is "when a user closes a tab, in a browser session after being authenticated" it doesn't log out or kill the FormsAuthentication cookie.The reason is for security reasons, while not a critical as say Banking or Credit Card sites I would like it to act the same way. Maybe I shouldn't be using cookies, are there other ways, suggestions? Thanks
Zizhuoye Che...
All-Star
21927 Points
1915 Posts
Microsoft
Re: Close Tab doesn't logout
Sep 02, 2010 12:27 PM|LINK
Hi,
I think it is hard for us to monitor client behaivor 100% accurately.
One method is use javascript and ajax to call a server method or a page when the page is close.We can use window.onunload = function(){call servermethod}.
But these method can not catch the quit of user when user browser close unnormally like kill the process of browser, shut down PC...
If you do need to control user login status for some security reasons(bank site or credit business deal), I think you could consider preventing a user to open a aspx page(which should be authenticated before visit).
Use
And In Login.aspx.cs not allow user to login duplicated.
Hopes can help you.
If you have any feedback about my replies, please contact msdnmg@microsoft.com
Microsoft One Code Framework