3

I want to log out users of my MVC application automatically after 2 days, or when they close the browser. My authentication is cookie based, I am using ASP.NET Identity Framework.

As far as I understand, Cookies can either be persistent (with a fixed expiration date) or have a session lifetime (being cleared on browser close).

So if I make a persistent cookie I can make it expire after 2 days, but it will survive a browser close (which I don't want).

And if I make a Session cookie it will never expire if the user does not close the browser.

Is there a way to get the best of both worlds in my MVC application? A cookie that will expire either on browser close or after x time, whatever comes first?

magnattic
  • 12,638
  • 13
  • 62
  • 115
  • tried considering `localStorage`? – Guruprasad J Rao Aug 13 '15 at 10:07
  • @GuruprasadRao I've never heard of using localStorage for authentication information. Is that a thing? Does ASP.NET support that? And how would that solve my expiration problem? – magnattic Aug 13 '15 at 10:09
  • What should happen if the user loses internet for a short while (but the browser is still up)? – Patrick Aug 13 '15 at 10:12
  • He should stay logged in, I guess. Isn't that how it works with any kind of cookie anyway? – magnattic Aug 13 '15 at 10:14
  • **[localStorage](http://www.w3schools.com/html/html5_webstorage.asp)** is basically a browser capability that works on `clientside` and you might need to `localStorage` one with the value when timeout should happen and other with the value `true` or `false` so that you can set these values based on the time stored in other `localStorage` – Guruprasad J Rao Aug 13 '15 at 10:16
  • @GuruprasadRao I don't see how the switch to localStorage solves my problem. You propose manually tracking an additional expiration value, right? I could do that with cookies. What is the benefit of using localStorage here? – magnattic Aug 13 '15 at 10:27
  • Check this anwer: http://stackoverflow.com/questions/23632725/how-do-i-log-a-user-out-when-they-close-their-browser-or-tab-in-asp-net-mvc, approach 3 to clear cookie seems feasible for you – cuongle Aug 13 '15 at 10:39

0 Answers0