ending sessions when browser is closed

[Jennifer Smith]

We have an environment running ASP on IIS5, where a user
logs in via an ASP login page and an entry is made to the
database recording the users login time and a database
session. If the user then clicks the logout link, the
database is update with their logout time and unlocks
their account by removing the database session.

The problem lies when the user closes the browser ("X").

When this happens, the IIS session is terminated, which is
okay, but the database does not get updated and their
database session is not removed. We have another process
which will then come along and remove inactive database
sessions after 10 minutes of inactivity. So, during this
period of time, the user would not be aloud to log back
in. I am trying to find a way to capture this scenario so
that I can make a call down to the database to force their
account to logout, hence removing the database session.

Any ideas whatsoever would be greatly appreciated.

 

[Mark Schupp]

From what I have seen in this group there is no reliable way to capture the
end of session when the user closes the browser.

you could modify your login function so that if it detects an active session
for the user attempting to log in:
tell the user that they have a session active
ask if they want to terminate that session and login again

 

[Dan Boylett]

Of course, that would be a bad idea from a security point of view.

depends how its implemented - if every user has a unique ID/password/IP
address then I dont see why it would be a risk... the person logging on
should be the same person who logged off surely, or am I missing something
obvious? (Highly likely!)