How to log him out if he does not click "Logout"?

[antonyliu2002]

I know this has been asked many times. I searched a little bit, but
could not get a good solution.

I am using form authentication for my small web application.

I know that I can easily log out a user by using
FormsAuthentication.SignOut() and Session.Abandon().

But this will depend on the user's clicking the "Logout" button.

What if he simply closes the browser? It is said that our Web server
has no way of knowing whether the client browser is closed or not.

So, how do we logout a user if he closes the browser instead of
clicking the "Logout" button?

This is the part of my web.config that reinforces the authentication:

<authentication mode="Forms">
<forms name="Auth" loginUrl="/index.aspx" protection="All"
timeout="30" >
<credentials passwordFormat="Clear">
<user name="user1" password="passwd4user1" />
<user name="user2" password="passwd4user2" />
</credentials>
</forms>
</authentication>

The 30 minutes' timeout does not work. Currently a user is logged in
the entire day if he does not click the "Logout" button and signs out.
He remains logged in even if he closes all of his browser windows and
relaunches the browser. How to fix this please?

Thanks.

 

[David Thielen]

Hi;

I believe the timeout works (I am not an expert on this) but that the user
can then be logged back in using a cookie created the first time. This cookie
auto-login can be turned off.