3

When using the current Asp.Net Identity handling code, it's possible to set a bunch of options in Startup.Auth to handle how the identification to handle how the cookie behaves.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    SlidingExpiration = true,
    ExpireTimeSpan = TimeSpan.FromMinutes(GetExpiryMinutesFromConfig()),
    Provider = new CookieAuthenticationProvider
    {
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromSeconds(60), 
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

If a user is logged in, then this cookie will be deleted if they close the whole browser window. However, if they just close the tab, the cookie persists. I cannot find a CookieAuthenticationOptions value that controls this.

I suspect deleting the cooked when a tab is closed may be difficult and undesirable from a UI point of view (what if there are multiple tabs open, for example). But is it actually possible.

Bob Tway
  • 9,301
  • 17
  • 80
  • 162

1 Answers1

4

Cookie can either specify expiration time or not. If it does not - it's known as session cookie and will usually live in browser memory until browser is closed. Details of how to handle session cookies are browser specific. For example, in Google Chrome, if you use "continue where I left" option, browser will actually save session cookies to disk when you close browser and will restore them when you reopen it.

That said - I'm not aware of any browser which handles session cookies by deleting them on tab close. And there certainly cannot be any option in asp.net (or anywhere else except browser settings) to enable such behavior.

Evk
  • 98,527
  • 8
  • 141
  • 191