Forms Auth Problems.

[Ed Staffin]

Hi, I am using the fairly standard code below to do my
forms authentication ticket and redirect, however, I am
finding that once successfully logged in, I don't get
another log after I close the browser. Is there something
I need to do to let it know that if the browser closes
they should be logged out?
Thanks ... Ed


Dim tkt As FormsAuthenticationTicket
Dim cookiestr As String
Dim ck As HttpCookie

tkt = New FormsAuthenticationTicket(1, txtUserName.Text,
DateTime.Now(), DateTime.Now.AddMinutes(20),
True, "")
cookiestr = FormsAuthentication.Encrypt(tkt)
ck = New HttpCookie( _
FormsAuthentication.FormsCookieName(), cookiestr)
ck.Expires = tkt.Expiration
ck.Path = FormsAuthentication.FormsCookiePath()
Response.Cookies.Add(ck)
Resonse.Redirect(FormsAuthentication.GetRedirectUr l _
(txtUserName.Text, False))

[Ken Schaefer]

Your auth cookie can two options:
a) it has no expiry date, in which case it is held in the browser's memory,
and when the browser process is closed (all windows are closed), then the
cookie is discarded.
b) it has an expiry date (a persistant cookie), which is then written to
disk, and returned to the server if the browser returns to that site (even
if it has been closed)

The server does not know when a user closes their browser - the browser
doesn't send anything to every server that it's visited telling the server
that the browser is being closed (that would be a huge privacy problem). So
the server keeps the session going until it eventually timesout. However, if
you:
a) have a persistant cookie
b) just close your browser
c) open the browser again and point it to the side
then
a) the session is still going on the server
b) the browser still has the cookie
so you will be let in.

You could use some client-side javascript code that pops-up a new window
when the user attempts to close their browser. This new window would call a
special page on the server that abandons the user's session. However pop-up
blockers will block this from ever happening.

Cheers
Ken

"Ed Staffin" <anonymous@discussions.microsoft.com> wrote in message
news:338b01c4292c$315b1890$a401280a@phx.gbl...
: Hi, I am using the fairly standard code below to do my
: forms authentication ticket and redirect, however, I am
: finding that once successfully logged in, I don't get
: another log after I close the browser. Is there something
: I need to do to let it know that if the browser closes
: they should be logged out?
: Thanks ... Ed
:
:
: Dim tkt As FormsAuthenticationTicket
: Dim cookiestr As String
: Dim ck As HttpCookie
:
: tkt = New FormsAuthenticationTicket(1, txtUserName.Text,
: DateTime.Now(), DateTime.Now.AddMinutes(20),
: True, "")
: cookiestr = FormsAuthentication.Encrypt(tkt)
: ck = New HttpCookie( _
: FormsAuthentication.FormsCookieName(), cookiestr)
: ck.Expires = tkt.Expiration
: ck.Path = FormsAuthentication.FormsCookiePath()
: Response.Cookies.Add(ck)
: Resonse.Redirect(FormsAuthentication.GetRedirectUr l _
: (txtUserName.Text, False))
: