ASP.NET authentication cookie not deleting after Firefox is closed

Question

Hello everyone.

Im developing a small web aplication, used in a shared computer.

When the user closes the browser window, i want the session and the authentication to be deleted.

In the Login page i use something like this to authenticate the user:

FormsAuthenticationTicket authTicket =
      new FormsAuthenticationTicket(1,txtUser.Text,
                                    DateTime.Now,
                                    DateTime.Now.AddMinutes(5),
                                    false,"");

string encTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
HttpContext.Current.Response.Cookies.Add(faCookie);
string redirectUrl = FormsAuthentication.GetRedirectUrl(txtUser.Text, false);
HttpContext.Current.Response.Redirect(redirectUrl);

As you can see, i have set the "isPersistent" variable to false.

This seems to work on Chrome (haven't tested on IE), however, when i run the app on Firefox, with multiple tabs activated, if i close the browser and open again, im still authenticated, and the cookie is still there!

Its really strange, beacause the cookie should be removed on closing... Is this a bug from Firefox, when you have multiple tabs opened? How can i fix this?

Help is much appreciated!

Thanks in advance

Answer 1

Just a wild guess: make sure you haven't got the FireFox Downloads window still open...

Answer 2

Are you closing the browser, or just the one tab? You need to close the whole browser. If you have multiple top-level browser windows open, all of them need to be closed. Also, any other windows that are part of the FireFox process need to be closed, too: Downloads, Live HTTP Headers, View Page Source, etc.

Answer 3

Instead of relying on Mozilla or any other browsers,I would recommend you to use this code to delete the cookies :

if (Request.Cookies["UserSettings"] != null)
{
    HttpCookie myCookie = new HttpCookie("UserSettings");
    myCookie.Expires = DateTime.Now.AddDays(-1d);
    Response.Cookies.Add(myCookie);
}

For more information regarding to this topic : How to: Delete a Cookie

Edit :

If you want to delete cookies during page unload, you can use Javascript to accomplish that :

<html>
<head>
  <title></title>
  <script type="text/javascript">
   function deleteCookie()
   {
     var d = new Date();
     document.cookie = "v0=1;expires=" + d.toGMTString() + ";" + ";";
     alert(document.cookie);
   }

  </script>
</head>

<body onunload="deleteCookie()">
...

</body>
</html>

I think in your situation Javascript is the best solution.

Answer 4

Thanks for the tips guys, but im sure im closing the browser, without any more Firefox related windows opened.

By reading this, it seems that this is the default browser behavior, choosed by the Firefox 3 designers...

Seems it stores on the disk cookies suposed to be stored on RAM, to recover the tabs when you open the browser again. So if you want to session to be deleted, you need to close all tabs, and then the browser...

I think this can cause some flaws regarding authentication security, for example, someone is using the application, finish the job and leaves, by closing the browser, and not the tabs. Since the computer is shared, right after another user opens the browser, and he will see all the tabs, with the previous session restored...

Answer 5

Don't use cookies, use session to store the authenticated user, and ASP.NET will manage the session cookie for you, it works with FireFox and is more secure.

But if you want to continue with this authentication cookie place the code to remove it in Global.asax Session_Start event.

protected void Session_Start(object sender, EventArgs e)
{
    HttpContext.Current.Request.Cookies.Remove(FormsAuthentication.FormsCookieName);
}