0

I have an asp.net 4.0 webpage that uses forms authentication. Everything works fine however I am not sure if asp.net is suppose to automatically doing this but when I close my browser after logging in when I open again it takes me to the authenticated page. Shouldn't it destroy the session when the browser closes? If not what is the best way to provide security against this by killing the session or something similar?

user541597
  • 4,247
  • 11
  • 59
  • 87
  • 3
    Sessions don't necessarily die just because the browsers is closed. As a user, I LIKE not having to always re-login to a page. If it's good enough for my Gmail, it's good enough for me. – Leeish Feb 06 '13 at 18:27
  • Bah! Alright I was typing an answer away and started getting downvotes immediately for mentioning the session timeout. Anyway, I wanted to direct you to ajax heart beats and window.unload, which are talked about in these threads for detecting a browser close. : http://stackoverflow.com/questions/10152619/how-to-end-the-session-when-browser-closes/10174426#10174426 http://stackoverflow.com/questions/3986430/how-we-call-logout-servlet-on-browser-close-event – gideon Feb 06 '13 at 18:35

1 Answers1

3

An ASP.NET session will not end by simply closing out your browser. ASP.NET maintains your session id by writing a cookie to your browser (assuming you haven't set it to a cookieless session). By default, your session is set with a timeout of 20 minutes. This means that, in general, your session will be available to that browser for the duration of that cookie.

As a security measure, it would be possible to provide some sort of logout functionality on your site. That could then call Session.Abandon that would kill your session.

CAbbott
  • 8,078
  • 4
  • 31
  • 38