forms authentication automatic logout without timers?

[Danny]

Hello,

I have a web application that uses forms authentication. I have been asked to implement a feature that logs users out automatically if they navigate to a page outside of the secured portion of the web app. This request means that cookie timeouts won't work, it needs to be an instant thing - you leave the site -> the door gets locked on your way out even if you haven't explicitly logged out yourself.

Does anyone know if this is possible?

Regards,

Danny

 

[ranganh]

Dear Danny,

In the Page_Load event of the page where you want to logout the users, put the following code:-

if(User.Identity.IsAuthenticated)
{
FormsAuthentication.Signout();
}

this will automatically signout user's who are logged in.

hope it helps.

 

[Sam]

In the Global.asax AuthorizeRequest event, you can add
code that will check if the user is authenticated and if
the current url is secure or not. Then, sign the user out
accordingly:

Private Sub Global_AuthorizeRequest(ByVal sender As
Object, ByVal e As System.EventArgs) Handles
MyBase.AuthorizeRequest
If User.Identity.IsAuthenticated Then
If Not
HttpContext.Current.Request.IsSecureConnection Then

System.Web.Security.FormsAuthentication.SignOut()
End If
End If
End Sub

-----Original Message-----
Hello,

I have a web application that uses forms authentication.

I have been asked to implement a feature that logs users
out automatically if they navigate to a page outside of
the secured portion of the web app. This request means
that cookie timeouts won't work, it needs to be an instant
thing - you leave the site -> the door gets locked on your
way out even if you haven't explicitly logged out
yourself.

 

[Danny]

Thank you for the replies.

Unfortunately I realised last night when I got home that I didn't really state my question correctly so I am closing this question and moving it to a new posting titled 'can you prevent malicious use of browser back button in forms authentication'

What I actually want to do is this...

User is logged in and authenticated to use secure sections of site. User then proceeds to navigate to some site outside of the secure sections of the web app (could be any url) but forgets to log out then eventually gets up and walks away from their machine. Some other malicious user then comes along and presses the back button on their browser to see what forgetful user has been looking at.

I've been asked to somehow prevent that malicious user from being able to gain access to secure content if fogetful user didn't logout and the forms authentication timer on the auth cookie hasn't yet expired.

I'm really not sure if this is possible.