Logout when browser is closed


#1

I’m working on a web app that contains bank information. We need to log the user out when the browser is closed. I’m using ASP.Net and it seems it keeps the user logged in for the default 20 min timeframe even after the browser is closed. Any ideas?


#2

have you tried onbeforeunload event ?


#3

I have not - new to ASP.Net. I’ll do some research on that event. Thanks!


#4

It seems to be one of those, much asked questions. Ranging from keypress event changes, to trigger, to javascript scriptlets, to session control , ajax requests and cookies.

I havent found a decent solution to this, so wish you a whole heap of luck. Seemingly , you would need to check such things as navigating away from the page, say another tab and closing that, doesnt instantiate closing of logged in session too.

TBH I really dont know what I am talking about lol


#5

Works great in IE, but the event is ignored by Chrome. Gotta love browser incompatibility. Time for more googling…


#6

It should reset if you close the browser ( unless you issued a persistent cookie during login). If you really must log out by brute force then go for a combo of clientside onunload and onbeforeunload event handler (test what works for you best).

IMHO unreliable, so just regulate the timeout in the form element in web.config. This will allow you to specify for how long the cookie lasts, defaults to 30minutes.

Logging someone out when they have not closed all browser windows is quite inconsistent behavior. Non persistent cookies last for as long as the timeout is not reached in web.config or the browser is closed ( not the same as closing a single tab ). So the best way is to wait for the cookie to timeout or user closed all browser tabs and not just navigated away from the site. This is consistent behavior with most online banking applications.


#7

what about initiating a dialogue box when they close the browser, sort of like google do it. With options:

a. click here to end your session ( logs them out )

b. cancel and return to page

like

window.onbeforeunload = function (event) {
  var message = 'Sure you want to leave?';
  if (typeof event == 'undefined') {
    event = window.event;
  }
  if (event) {
    event.returnValue = message;
  }
  return message;
}

#8
The cookie setter can specify a deletion date, in which case the cookie will be removed on that date. If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser.

when sending the session cookie to the user don’t specify an expiration date (in PHP it would be with the setcookie() function)

you can use chrome inspector > network to read the raw http cookie headers to see what expiration date is set, you can also use the built in chrome inspector to view and delete cookies when testing this feature.