asp.net application authentication problem

I have an asp web application that 开发者_Go百科is using forms authentication. I am not using asp.net membership provider, I am creating custom authentication. Thus when a user login, I create for him a ticket and a cookie for him and when the user logout I delete them. I have a problem when the user clicks the close button on top right of the browser. as you know this is a client side event and there is no server side event that run.

My question is:

What should I do when the user clicks the close button in order to remove the ticket and the cookie?

You should use non-persistant cookie. You do this by passing false to the second argument of this method: http://msdn.microsoft.com/en-us/library/twk5762b.aspx

You can hook onto "onbeforeunload" DOM event. There are a couple of approaches you can take

1. From the client side set the value of a hidden field and call __doPostBack('fieldid'). In the server side event handler of this field's value chagned event remove the ticket and your authentication token. You can make this an ajax post back. Teh idea is that even if the user closes the browser your web server would have been hit and you will remove the token.

2. In the same event handler fire a web service call to remove the authentication token.

I suppose you delete the ticket as soon the user session expires or ends, using session.Abandon() and the session_end event on the service side.

As far I am concerned, I would wait until the timeout closes the session by itself with the ASP.NET session expiration mechanism. Apparently you dont want to rely on it, that's why you need to trap the "windows close" event somehow and send a signal to the server.

This link might help you to have an example about how to do this.