How do I log a user out when they close their browser or tab in ASP.NET MVC?

和自甴很熟 提交于 2019-11-27 07:01:43
George Stocker

There are a few things you can do to make sure the user is signed out when the browser is closed, but it depends on how you're setting the FormsAuthentication cookie:

  1. Use Cookieless=True.
  2. Set a FormsAuthenticationTicket to not be persistent
  3. Use FormsAuthentication.SetAuthCookie to set Persistence to false
  4. Use a JavaScript approach to remove the cookie on window.unload.

Cookieless=True approach:

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="/Account/Login"
           protection="All"
           cookieless="true" //set to true   
  </authentication>
</system.web>

This appends the cookie value to the querystring in each request. The problem with this approach is it's not very secure and it messes with SEO. If a user sends anyone the URL they're using, that person can log in as the original user (probably not what you want). As far as 'messing with SEO', it causes the same page to look different to a googlebot based on what URL is passed in. Each QueryString change makes it a new URL, and if anyone uses this for posting a link; it will dilute the search results for a given actual URL.

FormsAuthenticationTicket Approach

When you set an Authentication cookie for the user, set Persistent to False.

If you're doing this in the FormsAuthentication.SetAuthCookie, this is default. If you use the FormsAuthenticationTicket class, you have to specify the cookie expiration.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,                   //version
    "blah",              //Cookie Name 

);

FormsAuthentication.SetAuthCookie() Approach

By default, if you don't set persistent, the authentication cookie will expire at the end of the session (when the user closes the browser).

FormsAuthentication.SetAuthCookie("CookieValue", false); //second argument is persistent'

JavaScript approach:

There are no foolproof methods; all you can do is set the cookie expiration date to before now and hope the user's browser co-operates. If you really, really, really, want the cookie gone, you can always try a JavaScript approach, but that won't work if the user has JavaScript disabled.

window.addEventListener('unload', function(event) {
   document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
});

Other caveats

It also matters which browser you use. Chrome has the ability to run in the background, and that keeps Session Cookies around until their timeout is hit -- they are not dropped when the browser is closed (I found this out the hard way).

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!