Login/Register
How do I log a user out when they close their browser or tab in ASP.NET MVC?
Asked Answered
Solved c#asp.netasp.net-mvcauthenticationform-authentication
B

1

10

I need to sign out a user when the user closed the tab or browser, how do I do that in ASP.NET MVC?

Burg answered 13/5, 2014 at 13:32 Comment(10)
Do you have anything currently to attempt to do this? Any code / ideas you have currently would help provide a better answer.Millsap
I tried to clear out on Session_Start but it was badBurg
See Automatically sign out from Forms Authentication in ASP.NET when browser is closed, Logoff User when browser tab page is closed, ASP.NET MVC, log out from browser if the brower closes in asp .net?Taper
@Taper Those are great related questions -- they all solve the problem in different ways.Overmodest
@George that's why we need more reference questions and answers carefully explaining the up- and downsides of each approach, and less people answering poorly-researched questions because they just happen to know how to solve a specific part of the question.Taper
@Taper The only way to create a 'reference question' is to have an existing question to use as one.Overmodest
@George all three questions I linked ask the same question as this one, the second one (from 2009) mentions your solution in the question and explicitly mentions "if they close the tab".Taper
@Taper The second one lists the Cookieless approach -- which isn't a good approach for reasons I make clear in my answer. None of the answers you link to mention my approach.Overmodest
I am also having this problem. Specifically with CHROME. The below solutions have not worked.Outfight
@Outfight Have you tried the JavaScript approach? It should resolve the chrome issue.Overmodest
O
28

There are a few things you can do to make sure the user is signed out when the browser is closed, but it depends on how you're setting the FormsAuthentication cookie:

  1. Use Cookieless=True.
  2. Set a FormsAuthenticationTicket to not be persistent
  3. Use FormsAuthentication.SetAuthCookie to set Persistence to false
  4. Use a JavaScript approach to remove the cookie on window.unload.

Cookieless=True approach:

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="/Account/Login"
           protection="All"
           cookieless="true" //set to true   
  </authentication>
</system.web>

This appends the cookie value to the querystring in each request. The problem with this approach is it's not very secure and it messes with SEO. If a user sends anyone the URL they're using, that person can log in as the original user (probably not what you want). As far as 'messing with SEO', it causes the same page to look different to a googlebot based on what URL is passed in. Each QueryString change makes it a new URL, and if anyone uses this for posting a link; it will dilute the search results for a given actual URL.

FormsAuthenticationTicket Approach

When you set an Authentication cookie for the user, set Persistent to False.

If you're doing this in the FormsAuthentication.SetAuthCookie, this is default. If you use the FormsAuthenticationTicket class, you have to specify the cookie expiration.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,                   //version
    "blah",              //Cookie Name 

);

FormsAuthentication.SetAuthCookie() Approach

By default, if you don't set persistent, the authentication cookie will expire at the end of the session (when the user closes the browser).

FormsAuthentication.SetAuthCookie("CookieValue", false); //second argument is persistent'

JavaScript approach:

There are no foolproof methods; all you can do is set the cookie expiration date to before now and hope the user's browser co-operates. If you really, really, really, want the cookie gone, you can always try a JavaScript approach, but that won't work if the user has JavaScript disabled.

window.addEventListener('unload', function(event) {
   document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
});

Other caveats

It also matters which browser you use. Chrome has the ability to run in the background, and that keeps Session Cookies around until their timeout is hit -- they are not dropped when the browser is closed (I found this out the hard way).

Overmodest answered 13/5, 2014 at 13:47 Comment(2)
Did you reopen the question to be able to post this answer? :) This won't work if the user only closes the tab, nor will it when the user navigates to a different page on the same tab and later goes back.Taper
I like the Javascript approach but what is the variable name in the code is it the cookie name if so where can I get it it is created with asp identity ??Latrell

© 2022 - 2024 — McMap. All rights reserved.