Reputation: 2058
How do I prevent returning to my site without login after closing tab with x?
I have a logout button on my site that triggers
FormsAuthentication.SignOut()
forcing the need to login again even if one uses the back button on the browser or copy/pastes the URL. However if one closes the tab by the x button of the browser and there's another tab still open, if they copy/paste the URL the page will reopen without logging in. This is a serious security problem. If the browser closed completely by closing all tabs that doesn't happen. How can I prevent returning to the URL after closing the tab even if the browser hasen't been closed completely? Is there a way of catching a javascript OnClose event that will trigger FormsAuthentication.SignOut()? I'm working in asp.net c#.
Upvotes: 2
Views: 3284
Answers (4)
Reputation: 328
easy. Just make a variable to localStorage, like: isLogin = Yes, then it does not need any login page. But if isLogin = No, then it should go to login page.
Upvotes: 0
Reputation: 46599
Wait, the user has two tabs open on your site and they click "Logout" in the one, but not in the other? Well, then they haven't really logged out - the session is still active. I see how that can be a problem. But it is not a SECURITY problem, it's just the same user that remains logged in.
Anyway, you can create, for instance, a new session variable that you fill with a value whenever the user logs in, and that you delete when the user logs out. Then in every Page_Load, check this variable, and redirect to the login page if it doesn't exist.
Might be a bit of overkill, but it's all server side and you won't need Javascript to do it.
Upvotes: 0
Reputation: 8183
That's a browser session problem.
A browser session (in fact, the cookie which hold the session id is deleted when the browser is closed) ends only when the browser is closed. It's why you are not logout when you close only one tab without closing the whole browser.
There's no reason to logout the user when he only close a tab. This behavior is not standard on the web and users can be disoriented if you do that.
But nevermind, if you want to do that, you can write a few javascript that drop a popup to warn the user he must logout before leaving. To do that use the unload or onbeforeunload event.
Look at here to see examples : How to create popup window when browser close
Upvotes: 1
Reputation: 81700
You may use javascript on window onbeforeunload event to make a call to your website and log out the user.
Upvotes: 0
Related Questions
- Logout issue with browser back button
- Automatically sign out from Forms Authentication in ASP.NET when browser is closed
- How to stop opening a login page in (asp.net webforms) when user is already logged in the same browser in different tab
- disable auto logout feature in asp.net
- Ensuring forms authentication logout on browser close
- Kill Asp.Net session when the browser or tab is closed
- Authentication clear when tab closed in a browser
- Returning to login screen with forms authentication
- Resist User to go back after Login
- Keep ASP .NET page from logging out