How to log him out if he does not click "Logout"?

Discussion in 'ASP .Net Security' started by antonyliu2002, Mar 12, 2006.

  1. I know this has been asked many times. I searched a little bit, but
    could not get a good solution.

    I am using form authentication for my small web application.

    I know that I can easily log out a user by using
    FormsAuthentication.SignOut() and Session.Abandon().

    But this will depend on the user's clicking the "Logout" button.

    What if he simply closes the browser? It is said that our Web server
    has no way of knowing whether the client browser is closed or not.

    So, how do we logout a user if he closes the browser instead of
    clicking the "Logout" button?

    This is the part of my web.config that reinforces the authentication:

    <authentication mode="Forms">
    <forms name="Auth" loginUrl="/index.aspx" protection="All"
    timeout="30" >
    <credentials passwordFormat="Clear">
    <user name="user1" password="passwd4user1" />
    <user name="user2" password="passwd4user2" />
    </credentials>
    </forms>
    </authentication>

    The 30 minutes' timeout does not work. Currently a user is logged in
    the entire day if he does not click the "Logout" button and signs out.
    He remains logged in even if he closes all of his browser windows and
    relaunches the browser. How to fix this please?

    Thanks.
     
    antonyliu2002, Mar 12, 2006
    #1
    1. Advertisements

  2. Hi;

    I believe the timeout works (I am not an expert on this) but that the user
    can then be logged back in using a cookie created the first time. This cookie
    auto-login can be turned off.
     
    David Thielen, Mar 12, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.