1

I am having a problem with my asp.net web application and Chrome. When I close my Chrome browser window, it does not clear out cookies. This means that if I log into my web application using forms authentication, and then close and reopen the browser window, it shows I am still logged in!

I read that this may be a Chrome bug, but there must be some way around it.

I found this post and would like to run the following code from it when the browser window is closed:

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

My question is, is there a browser closed event handler that I can specify somewhere in my code? Perhaps Application_End in the Global.aspx file? Or is that not what it is meant for?

Or is there another way to solve this issue?

Thank you.

Here is what my code looks like:

private void Login_Click(Object sender, EventArgs e)
  {
    // Create a custom FormsAuthenticationTicket containing
    // application specific data for the user.

    string username     = UserNameTextBox.Text;
    string password     = UserPassTextBox.Text;
    bool   isPersistent = false;

    if (Membership.ValidateUser(username, password))
    {
      string userData = "ApplicationSpecific data for this user.";

      FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
        username,
        DateTime.Now,
        DateTime.Now.AddMinutes(30),
        isPersistent,
        userData,
        FormsAuthentication.FormsCookiePath);

      // Encrypt the ticket.
      string encTicket = FormsAuthentication.Encrypt(ticket);

      // Create the cookie.
      Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

      // Redirect back to original URL.
      Response.Redirect(FormsAuthentication.GetRedirectUrl(username, isPersistent));
    }
    else
    {
      Msg.Text = "Login failed. Please check your user name and password and try again.";
    }
  }

Only replace isPersistent with the value of checkbox.Checked which is false by default.

EDIT:

Another annoying thing which is what may be going on is from [this] link where the top answer says:

It also matters which browser you use. Chrome has the ability to run in the background, and that keeps Session Cookies around until their timeout is hit -- they are not dropped when the browser is closed (I found this out the hard way).

2

Community
  • 1
  • 1
Micro
  • 10,303
  • 14
  • 82
  • 120
  • 1
    Don't use persistent cookie? – MikeSmithDev Sep 21 '14 at 15:54
  • Well I want to be able to use it if someone clicks my "remember me" checkbox. I set `FormsAuthentication.GetRedirectUrl(txtboxUserName.Text, CheckBoxRememberMe.Checked)` Should I not do that? Despite `CheckBoxRememberMe.Checked` being `false` – Micro Sep 21 '14 at 23:56
  • If you don't want them to stay logged in on browser close, simply don't use a persistent cookie. And remove the check box. – MikeSmithDev Sep 21 '14 at 23:58
  • @MikeSmithDev But I would like them to have that option IF they check the checbox. Or are you saying that there-in lies the problem? I just don't get why chrome treats my cookie like a persistent one when the value of my `checbox.Checked = false`. It feels like a bug? Added my login code. – Micro Sep 22 '14 at 02:48
  • 1
    OK. It wasn't clear that they are staying logged in even after browser close and that non-persistent cookie was already being used. Thank you for the clarification. – MikeSmithDev Sep 22 '14 at 02:53
  • Did you found solution? – Valentyn Vynogradskiy Sep 21 '19 at 12:03

1 Answers1

2

There is no browser closed handler, how could there be? Once the page is done being served the connection is closed. You have no idea if a user browses away from the site, closes the browser, or let's it sit there for a day. You would have to use client-side code to call a service to handle this and the client-side code to do this is unreliable enough to make it useless.

When you set the authentication cookie, make sure the persistent option is false.

Also, when you close your browser ensure that you are closing all browser windows. If you have multiple browser windows they will share the same cache for cookies so things like the session cookie are still alive because of this and lead you to believe the authentication is kept alive by the server when it's really the browser.

Mark Fitzpatrick
  • 1,624
  • 1
  • 11
  • 8
  • Check my updated code above. My persistent option IS false, that is what why I thought maybe I could run an even handler at browser close. – Micro Sep 22 '14 at 13:24
  • 1
    And I am definitely closing all the browser tabs, but with Chrome I read that it can still run in back background? I tried on several different computers, and the same story for all of them that run Chrome: closing the browser window won't log out even if the persistent option is `false` – Micro Sep 22 '14 at 13:30