views:

21

answers:

1

Hi!

I have some problems with getting my website to log out the authenticated user automatically when the session ends (the user closes the browser).

This is what I have in my web.config:

<authentication mode="Forms">
    <forms name="AuthCookie" protection="All" loginUrl="~/default.aspx" path="/" cookieless="UseCookies" timeout="2592000"/>
</authentication>

<authorization>
    <allow users="?" />
</authorization>

<membership defaultProvider="ASPPGSqlMembershipProvider" userIsOnlineTimeWindow="20">
    <providers>
        <clear />
        <add name="AspNetSqlMemberShipProvider" applicationName="umbraco4" type="System.Web.Security.SqlMembershipProvider" connectionStringName="UmbracoDb" requiresUniqueEmail="true" enablePasswordReset="true" enablePasswordRetrieval="false"/>
        <add name="UsersMembershipProvider" applicationName="umbraco4" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" />
        <add name="ASPPGSqlMembershipProvider" applicationName="umbraco4"
            passwordStrengthRegularExpression="" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="false"
            requiresUniqueEmail="true"
            forumUpfileFolderPath="D:\www\files"
            type="ASPPG.MembershipProviders.ASPPGSqlMembershipProvider, ASPPGSiteIntegrationPackage"/>
    </providers>
</membership>

This is how I log in the user:

if (Membership.ValidateUser(txtUserName.Text, txtPasssword.Text)) {
    HttpCookie cookie = FormsAuthentication.GetAuthCookie(txtUserName.Text, false);
    cookie.Expires = DateTime.Now.AddDays(1);
    cookie.Domain = ConfigurationManager.AppSettings["Level2DomainName"];
    HttpContext.Current.Response.Cookies.Add(cookie);
    Response.Redirect(Request.Url.ToString());
}

When I close the browser, the user is still logged in. How do I make the website forget the user through an option, so the user himself can decide if the website should remember or not?

Thanks in advance :)

M

+4  A: 

Have you tried NOT setting the cookie.Expires or at least setting it to DateTime.MinValue for user's that don't want to be 'remembered'?

From MSDN:

Setting the Expires property to MinValue makes this a session Cookie, which is its default value.

Kelsey
You are citing from the System.Net namespace, but it appears the question is in in the System.Web namespace. I don't know how they relate, but I did not find a similar comment about cookie.Expires in the System.Web namespace.
abelenky
@abelenky I couldn't find a good citation from System.Web so I did a quick search and found it in System.Web. I am not sure why the remark is not included in both spots.
Kelsey
@able - a cookie is a cookie, be it a Cookie or HttpCookie. only the wrapper changed, not the underlying implementation and behavior in regards to ASP.net forms authentication.
Sky Sanders