ansaurus

Question

How do I force expiration of an ASP.Net session when a user leaves the site?

Answer 1

A:

If the user closes their browser, or types in a different URL (including selecting a favourite) there is not much for you to detect.

For links on your site, you could create links that forward via your site (i.e. rather than linking to http://example.com/foo you link to http://mysite.com/forwarder?dest=http://example.com/foo).

Just be careful to only forward to sites you intend to, otherwise you can open up security issues with "universal forwarding" being used for phishing etc..

Richard 2009-03-18 22:29:10

Answer 2

+2 A:

I have gone for a heartbeat type scenario like you describe above. Either Ajax Polling or an IFRAME. When the user closes the browser and a certain timeout elapses (10 seconds?), then you can log them out.

Another alternative would be to have the site run entirely on AJAX. Thus there is only one "URL" that a user can visit and all content is loaded dynamically. Of course you break all sorts of usability stuff this way, but at least you achieve your goal.

Keltex 2009-03-18 22:42:48

Have you done this with an ASP.Net app? How do you know on the backend when the polling hasn't made a call? In other words, how do you set up a listener for this if by definition a request isn't made?

Raelshark 2009-03-18 22:45:56

We had an object that mapped session IDs to last received poll time. Whenever a page request was made we obtained the last last poll time. If too old or no entry, we signed them out. We periodically (every few minutes) cleared out old entries in the dictionary.

Keltex 2009-03-19 17:19:03

Answer 3

A:

You absolutely, positively need to tell the client that this is not possible. They are having a basic misunderstanding of how the Web works. Be diplomatic, obviously... hell, it's probably someone else's job... but it needs to be done.

Your suggestions, or a combination of them, may work in a simple proof-of-concept... but they will bring you nothing but support nightmares and will not work consistently enough. Worse, you will undoubtably also create situations where users cannot use the application at all due to the security hacks misfiring on them.

Bryan 2009-03-19 04:57:43

Unfortunately it's not always possible to dictate this to a client. We had a client bidding on a government contract. This was a requirement on the contract. The incumbent competitor already claimed (never verified) to be able to do it. So we really had no choice but to try and implement something.

Keltex 2009-03-19 17:12:43

Well, obviously the client wasn't happy with the incumbent, or you wouldn't have got the job. :)

Bryan 2009-03-19 23:19:20

Answer 4

A:

Javascript has an onUnload event, which is triggered when the browser is told to leave the page. You can see this on StackOverflow when you try to press the back button or click a link while editing an answer.

You may use this event to trigger an auto-logoff for your site.

I am unsure, however, if this will handle cases wherein the browser is deliberately closed or the browser process externally terminated (I'm guessing it doesn't happen in the 2nd case).

Jon Limjap 2009-03-19 05:33:04

Answer 5

A:

If all navigation within your site is done through .NET postbacks (no simple html links or javascript open statements), you can do automatic logoff and redirect to the login page if the page load is not a postback. This does not end the session on exit, but it looks like it because it enforces a login if manually navigating to your web app. To get this functionality for all pages, you can use a Master page that does this in the Page_Load.

private void Page_Load(object sender, System.EventArgs e)
{
    if (!IsPostBack)
    {
        System.Web.Security.FormsAuthentication.SignOut();
        System.Web.Security.FormsAuthentication.RedirectToLoginPage();
    }
}

awe 2009-08-18 11:24:06

ansaurus

tags:

views:

answers:

How do I force expiration of an ASP.Net session when a user leaves the site?

related questions