开发者

ASP.NET authentication cookie not deleting after Firefox is closed

问答 作者:

Im developing a small web aplication, used in a shared computer.

When the user closes the browser window, i want the session and the authentication to be deleted.

In the Login page i use something like this to authenticate the user:

FormsAuthenticationTicket authTicket =
      new FormsAuthenticationTicket(1,txtUser.Text,
                                    DateTime.Now,
                                    DateTime.Now.AddMinutes(5),
                                    false,"");

string encTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.Form开发者_运维百科sCookieName, encTicket);
HttpContext.Current.Response.Cookies.Add(faCookie);
string redirectUrl = FormsAuthentication.GetRedirectUrl(txtUser.Text, false);
HttpContext.Current.Response.Redirect(redirectUrl);

As you can see, i have set the "isPersistent" variable to false.

This seems to work on Chrome (haven't tested on IE), however, when i run the app on Firefox, with multiple tabs activated, if i close the browser and open again, im still authenticated, and the cookie is still there!

Its really strange, beacause the cookie should be removed on closing... Is this a bug from Firefox, when you have multiple tabs opened? How can i fix this?

Help is much appreciated!

Thanks in advance

Are you closing the browser, or just the one tab? You need to close the whole browser. If you have multiple top-level browser windows open, all of them need to be closed. Also, any other windows that are part of the FireFox process need to be closed, too: Downloads, Live HTTP Headers, View Page Source, etc.

Thanks for the tips guys, but im sure im closing the browser, without any more Firefox related windows opened.

By reading this, it seems that this is the default browser behavior, choosed by the Firefox 3 designers...

Seems it stores on the disk cookies suposed to be stored on RAM, to recover the tabs when you open the browser again. So if you want to session to be deleted, you need to close all tabs, and then the browser...

I think this can cause some flaws regarding authentication security, for example, someone is using the application, finish the job and leaves, by closing the browser, and not the tabs. Since the computer is shared, right after another user opens the browser, and he will see all the tabs, with the previous session restored...

Instead of relying on Mozilla or any other browsers,I would recommend you to use this code to delete the cookies :

if (Request.Cookies["UserSettings"] != null)
{
    HttpCookie myCookie = new HttpCookie("UserSettings");
    myCookie.Expires = DateTime.Now.AddDays(-1d);
    Response.Cookies.Add(myCookie);
}

For more information regarding to this topic : How to: Delete a Cookie

Edit :

If you want to delete cookies during page unload, you can use Javascript to accomplish that :

<html>
<head>
  <title></title>
  <script type="text/javascript">
   function deleteCookie()
   {
     var d = new Date();
     document.cookie = "v0=1;expires=" + d.toGMTString() + ";" + ";";
     alert(document.cookie);
   }

  </script>
</head>

<body onunload="deleteCookie()">
...

</body>
</html>

I think in your situation Javascript is the best solution.

Don't use cookies, use session to store the authenticated user, and ASP.NET will manage the session cookie for you, it works with FireFox and is more secure.

But if you want to continue with this authentication cookie place the code to remove it in Global.asax Session_Start event.

protected void Session_Start(object sender, EventArgs e)
{
    HttpContext.Current.Request.Cookies.Remove(FormsAuthentication.FormsCookieName);
}

The problem stems from the fact that if you set an expiration, you will get a persistent cookie, the following code works for me where I want the user to choose between a persistent or browser-session only cookie a la "remember me" checkbox when logging in:

 public void SetAuthenticationCookie(LoginView loginModel)
    {
      if (!loginModel.RememberMe)
      {
        FormsAuthentication.SetAuthCookie(loginModel.Email, false);
        return;
      }
      const int timeout = 2880; // Timeout is in minutes, 525600 = 365 days; 1 day = 1440.
      var ticket = new FormsAuthenticationTicket(loginModel.Email, loginModel.RememberMe, timeout);
      //ticket.
      string encrypted = FormsAuthentication.Encrypt(ticket);
      var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted)
        {
          Expires = System.DateTime.Now.AddMinutes(timeout),
          HttpOnly = true
        };
      HttpContext.Current.Response.Cookies.Add(cookie);
    }

Just a wild guess: make sure you haven't got the FireFox Downloads window still open...

Well I found this solution, might help some one else:

if (Request.Cookies["TownID"] != null)
{
       HttpCookie myCookie = Request.Cookies["TownID"];
       myCookie.Expires = DateTime.Now.AddDays(-1d);
       Response.Cookies.Add(myCookie);
}

Source: http://forums.asp.net/p/1565112/3895452.aspx

继续阅读:asp.netauthenticationcookiesfirefox

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9