当浏览器或选项卡关闭时终止 Asp.Net 会话
我正在使用 Asp.Net 4 的表单身份验证。当用户单击注销链接时,我清除会话并调用 FormsAuthentication.SignOut() ,这会阻止用户返回到网站无需再次登录。
现在我想在浏览器或选项卡关闭时终止会话。我尝试通过处理 onbeforeunload 事件来执行此操作,但在单击任何内部链接后我最终终止了会话。
我有什么想法可以做到这一点吗?
I am using forms authentication with Asp.Net 4. At the moment when the users click on logout link, I clear the session and call FormsAuthentication.SignOut() and this prevents the users from going back to the site without a logging in again.
Now I want to kill the session when the browser or tab is closed. I tried doing this by handling onbeforeunload event, but I ended up killing the session after clicking any internal links.
Any ideas how I can do this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
你不能,但你可以
You can't, but you can come close to.
身份验证 Cookie仅限会话,这意味着浏览器关闭时会被浏览器删除。也许您没有关闭所有浏览器选项卡,但如果您关闭它们,所有身份验证 cookie 都会丢失。
关于关闭选项卡,您不知道用户是否打开了其他选项卡。
一种可能的解决方案可能是每 10 秒调用一次回服务器以保持此身份验证处于活动状态,并将身份验证设置为在 20 秒后结束。因此,如果没有任何信号返回,则用户已经离开。这可以使用 JavaScript 来完成。另一方面,这不能让用户在几分钟不活动后注销,因此您可能需要将此逻辑与其他逻辑结合起来。
The authentication cookies are session only, that means that delete by browser when the browser close. Maybe you do not close all browsers tabs, but if you close them all the authentication cookies are lost.
About closing a tab, you do not know if the user have other tab opens.
A possible solution maybe is a call every 10 seconds back to the server to keep this authentication active or not, and set the authentication to end up after 20 seconds. So if not any signal come back, the user have gone. This can be done using javascript. From the other hand this can not let the user logout after some minutes of inactivity, so you may need a combination of this logic with something else.
您能做的最好的事情就是当您的用户明确注销时也调用 Session.Abandon() 来删除该用户的会话。但正如其他人所说,如果不以这种方式注销,就无法知道选项卡/窗口是否只是关闭。会话将一直保留在服务器上直到过期。
The best you can do is when your user explicitly logs out to also call
Session.Abandon()to remove that user's session. But like others have said there is no way of knowing if the tab/window just closes without doing a logout in this fashion. The session will just hang around on the server until it expires.我回答了另一个问题,当用户在实时站点上编辑 web.config 时,会话会被终止。他们正在跟踪仍在使用会话变量登录的用户(危险)。但提出了一个可以帮助这里的人的解决方案(未经测试的解决方案)。
FormsAuthentication 允许您无限期地保持一个人处于活动状态并登录。但如果他们变得不活动(例如 20 分钟),他们就会被注销,这很好。但要让他们在关闭浏览器时注销是不可能的(等待...),因为将超时值设置为 0 会导致他们不断登录然后再次注销。
所以解决方案:当您使用 FormsAuthentication 登录某人时,您还可以设置一个标准会话变量 cookie,当他们关闭浏览器时该变量将被删除。该 cookie 包含非识别性的非帐户相关信息。只是一个简单的“登录:是”。
现在,您的母版页/母版布局上需要的所有代码都是页面周期或页面周期构造函数(甚至自定义属性)中的高级调用,它将检查 cookie 和用户身份:
基本上,如果 cookie 是当浏览器关闭时删除,您会将用户重定向到登录页面。
希望这会有所帮助(并且有效。正如我所说,未经测试)。
I answered another question that had a problem with session being killed when the user edited the web.config on a live site. They were tracking users still being logged in with Session variables (dangerous). But came up with a solution (untested solution) that could help people here.
FormsAuthentication allows you to maintain a person being active and logged in indefinitely. But if they become inactive for e.g. 20 mins they will be logged out which is nice. But to have them logged out at the time the close their browser is not possible (wait for it...) as setting the timeout value to 0 would cause them to be constantly logged in then out again.
So solution : at the time you log a person in using FormsAuthentication you could also set a standard session variable cookie that will be deleted when they close their browser. This cookie would have non-identifying non-account related information. Just a simple "loggedIn:yes".
Now all your code would need to have on it's masterpage/materlayout is a high level call in the page cycle or constructor of the page cycle (or even a custom attribute) that would check both cookie and the user identity:
Basically if the cookie is removed when the browser is closed, you will redirect the user to the log in page.
Hopefully that helps (and works. As I said untested).