1

I have been attempting to get a clean break from a session when a tab is closed for a workplace system used by supervisors and others. I am successful when the person logs out - all is cleared. However, when a tab is closed, it can be reopened at will as if session.clear() was never called.

I am using this javascript:

 $.ajax({
    type: "POST",
    url: "default.aspx/EndSession",
    data: "{}",
    contentType: "application/json; charset=utf-8",
    dataType: "json",
    success: function (msg) { }
 });

to call this web method:

[WebMethod]
public static string EndSession()
{
   HttpContext.Current.Session.Clear();
   HttpContext.Current.Session.Abandon();
   HttpContext.Current.User = null;
   FormsAuthentication.SignOut();
   return "";
}

I set a breakpoint and watch the code execute as I step through it and it returns. The tab closes, and then I right-click and select "reopen closed tab" and the page comes back and the session is still active.

I see here ppl saying this is not possible, but don't understand why, since the code is running on the server - I'm watching it run, and the session is not cleared. I would have thought this was the point of an explicit call to "Session.Clear()" and "Session.Abandon()". The same code in the logout Page_Load works great.

Why? What am I missing? Is the session clear being thrown out after running because the tab is closed?

Thanks!

Community
  • 1
  • 1
Robb Sadler
  • 705
  • 10
  • 22
  • See [this answer](http://stackoverflow.com/a/14913314/151212). IMO, the only real solution is to store something server-side and not depend only on session cookie. – explunit Apr 29 '13 at 15:53
  • Heading this way now. There is a possibility that the session will be open in more than one tab, so there is the added complexity of that, but for now I am going to start with the suggestions you pointed to. Thanks for the info - I will post back when I have success (hopefully). – Robb Sadler Apr 30 '13 at 17:33

1 Answers1

1

Try to add Session.RemoveAll(); and redirect to another page too?

public static string EndSession()
{
   HttpContext.Current.Session.Clear();
   HttpContext.Current.Session.Abandon();
   HttpContext.Current.Session.RemoveAll();
   HttpContext.Response.Redirect("~/login.aspx", true);
   HttpContext.Current.User = null;
   FormsAuthentication.SignOut();
   return "";
}


In addition to code above add on Page_Load:

HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoServerCaching();
HttpContext.Current.Response.Cache.SetNoStore();

I am not 100% sure of it will work, I thought to write it hopefully it can be of some help.

compliance
  • 365
  • 7
  • 23
  • Added the line you suggested. I had the cache stuff in there before and just now tried the redirect - I had already tried it from javascript, and it was ignored (probably by design). No luck from codebehind either. So the comments in the OP are probably my best option. – Robb Sadler Apr 30 '13 at 17:29