How to Log a User Out When They Close Their Browser or Tab in ASP.NET MVC

  • Home
  • Languages
  • Csharp
  • How to Log a User Out When They Close Their Browser or Tab in ASP.NET MVC

How do I log a user out when they close their browser or tab in ASP.NET MVC?

There are a few things you can do to make sure the user is signed out when the browser is closed, but it depends on how you're setting the FormsAuthentication cookie:

  1. Use Cookieless=True.
  2. Set a FormsAuthenticationTicket to not be persistent
  3. Use FormsAuthentication.SetAuthCookie to set Persistence to false
  4. Use a JavaScript approach to remove the cookie on window.unload.

Cookieless=True approach:

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="/Account/Login"
           protection="All"
           cookieless="true" //set to true   
  </authentication>
</system.web>

This appends the cookie value to the querystring in each request. The problem with this approach is it's not very secure and it messes with SEO. If a user sends anyone the URL they're using, that person can log in as the original user (probably not what you want). As far as 'messing with SEO', it causes the same page to look different to a googlebot based on what URL is passed in. Each QueryString change makes it a new URL, and if anyone uses this for posting a link; it will dilute the search results for a given actual URL.

FormsAuthenticationTicket Approach

When you set an Authentication cookie for the user, set Persistent to False.

If you're doing this in the FormsAuthentication.SetAuthCookie, this is default. If you use the FormsAuthenticationTicket class, you have to specify the cookie expiration.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,                   //version
    "blah",              //Cookie Name 

);

FormsAuthentication.SetAuthCookie() Approach

By default, if you don't set persistent, the authentication cookie will expire at the end of the session (when the user closes the browser).

FormsAuthentication.SetAuthCookie("CookieValue", false); //second argument is persistent'

JavaScript approach:

There are no foolproof methods; all you can do is set the cookie expiration date to before now and hope the user's browser co-operates. If you really, really, really, want the cookie gone, you can always try a JavaScript approach, but that won't work if the user has JavaScript disabled.

window.addEventListener('unload', function(event) {
   document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
});

Other caveats

It also matters which browser you use. Chrome has the ability to run in the background, and that keeps Session Cookies around until their timeout is hit -- they are not dropped when the browser is closed (I found this out the hard way).

How to logout the user while the browser is closed in MVC?

This way i implement. Use onbeforeunload event when tab is closing.

<script type="text/javascript">
    window.onbeforeunload = function () {
        window.location.href = '/logout'; //your action to logout

    });
  };
</script>

or ajax call to logout

<script type="text/javascript">
    window.onbeforeunload = function () {
         $.ajax({
        type: "POST",
        url: "/logout",
        success: function (result) {
            //
        }
    });

    };
</script>

Logout on browser or tab close

As @AndreiV state, there is no way of detecting when the user closes the browser.

I opted to implement SignalR and monitor the connection for a disconnect event, at which point, based on some criteria, I un-authenticate the user's session. If he then comes back the the site, I know that his session is no longer valid and he is redirected to the login page.

Logoff User when browser tab page is closed, ASP.NET MVC

We decided to use cookie less authentication so that the authentication token is part of the url. When the tab is closed and they open the website again, they will be asked to authenticate again :)

how to end session or logout a user on browser close MVC ASP .NET

You can use:

function del_cookie(name) {
    document.cookie = name + '=; expires=Thu, 01-Jan-70 00:00:01 GMT;';
}
<body onload="SetCookie()" onunload="del_cookie()">

source here

try modify it yourself

The Logging out event when a user closes the browser

You have to accept the limitations of web technology. Once you have sent your response to the user agent, the server has no way to know what is happening with the request. The user might close the user agent gracefully. The UA might crash. The user might lose internet connection. His computer can crash. All of this can happen before the client even receives the response. This is the environment you are dealing with. Embrace it instead of fighting it.

If tracking logoff is important to you, there are several techniques you might use:

  1. Rely on the session timeout. If you choose a timeout short enough it might be enough to meet your security requirements. I would consider this the preferred way, because it is simple and proven.
  2. Use scripting to send a heartbeat from the UA to the server. You can use "ping" requests, long calls etc. However, be aware of the performance impact this comes with, the number of requests to the server and the complexity of the implementation.
  3. Use an existing framework such as SignalR to establish a client-to-server connection and have the client check in to the server. This is basically the second option with less manual work for you.

All of this wouldn't let you intercept user logoff or loss of connection, but if the client stops responding you know that the connection is interrupted (in one of many possible ways). So you shouldn't register this as "user logged off", but rather as "user disconnected".

Asp.net user is logged out when browser closes

what browser are you using? There is session life time configuration in .net, but look like it's your cookies got clear or invalid whenever you closed. The tab window is nothing special but share the same storage/cookies and any browser resources. You still be able to login because your cookies still exist/valid, only kill the tab will not log you out because your browser cookies remain holding the valid token to the server.

In MVC web application, how to handle session, when browser or tab is closed without logout

The only stable way is to use Session_End in Global.asax.

protected void Session_End(object sender, EventArgs e)
{
    System.Diagnostics.Debug.WriteLine("Session_End");
    FormsAuthentication.Signout();
}

This is an event handler that gets called when the user session ends.


Related Topics

How to Connect to Any of the Specified MySQL Hosts. C# MySQL

Change File Extension Using C#

Does Dispose Still Get Called When Exception Is Thrown Inside of a Using Statement

Why Does a Bad Password Cause "Padding Is Invalid and Cannot Be Removed"

How to Have a Loop in a Windows Service Without Using the Timer

Console App Mouse-Click X Y Coordinate Detection/Comparison

Making a Web Request to a Web Page Which Requires Windows Authentication

Does Filestreamresult Close Stream

Error: Must Create Dependencysource on Same Thread as the Dependencyobject Even by Using Dispatcher

Regex for Ip Address

Custom Validation Attributes: Comparing Two Properties in the Same Model

How to Read Image Pixels' Values as Rgb into 2D Array

Removing Event Handlers

How to Set/Change/Remove Focus Style on a Button in C#

Asynchronous Iterator Task<Ienumerable<T>>

Disabling Screen Saver and Power Options in C#

Async Await VS Getawaiter().Getresult() and Callback

Edit Specific Element in Xdocument


Leave a reply



Submit