Conditional execution of Signout

[mklapp]

Hello,

I have a web app with a login page. It all seems to work nicely. The default page redirects to the login, the login redirects to the default(menu) page which has a signout link. If I click the signout link, the cookie is removed.

However, if I close the browser, the cookie persists (apparently) as when I restart the app, I am taken to the main menu page without logging on.

The authentication ticket is generated as not persistent with a timeout of 30.

I would like to put something in the Page_Unload handler to signout if the user has not already done so, but do not want to do it at anyother time (when transferring from the main menu to an App page.) but cannot figure a safe and reliable check.

Suggestions?

mklapp

[MSFT]

Hello,

Thank you for using the community. As I understand, your ASP.NET
application use Form Authentication and non-persisted cookie. You want to
SignOut the user once they close the IE window. Is this correct?

Normmally, we can pust the Formsauthentication.SignOut method in
SessionTimeOut, and use TimeOut setting of session to determine if the user
exits the application.

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[Felix Wu [MSFT]]

Hi Mklapp,

Have you tried to set the cookie's Expires to DateTime.MinValue? This can
make it a session cookie. It will expires after you close the browser.

Regards,

Felix Wu
=============
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

>Thread-Topic: Conditional execution of Signout
>thread-index: AcPqcnC/Yk88qekDTceDE0Gq1DjSxQ==
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>From: =?Utf-8?B?bWtsYXBw?= <mklapp@zippy.com>
>Subject: Conditional execution of Signout
>Date: Tue, 3 Feb 2004 08:26:13 -0800
>Lines: 15
>Message-ID: <3D349774-77C8-4C86-9126-2289A97DC6CA@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa07.phx.gbl
>Xref: cpmsftngxa07.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 8509

>NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hello,

I have a web app with a login page. It all seems to work nicely. The
default page redirects to the login, the login redirects to the
default(menu) page which has a signout link. If I click the signout link,
the cookie is removed.

However, if I close the browser, the cookie persists (apparently) as
when I restart the app, I am taken to the main menu page without logging on.

The authentication ticket is generated as not persistent with a timeout
of 30.

I would like to put something in the Page_Unload handler to signout if
the user has not already done so, but do not want to do it at anyother time
(when transferring from the main menu to an App page.) but cannot figure a
safe and reliable check.

Suggestions?

mklapp

>