In one of the ASP.NET MVC apps we would like to logoff the user automatically if he closes the browser tab in which the app is opened.
在其中一个ASP.NET MVC应用程序中,如果用户关闭打开应用程序的浏览器选项卡,我们会自动注销用户。
We are using the following code when he authenticates.
我们在进行身份验证时使用以下代码。
FormsAuthentication.SetAuthCookie(userName, false)
FormsAuthentication.SetAuthCookie(userName,false)
As of now, if we closes the browser window and relaunch it, users are asked to authenticate again. But we want to ask users to authenticate again if they close the tab and try to access any of the website urls.
截至目前,如果我们关闭浏览器窗口并重新启动它,则会要求用户再次进行身份验证。但是,如果用户关闭标签并尝试访问任何网站网址,我们都会要求用户再次进行身份验证。
5 个解决方案
#1
6
We decided to use cookie less authentication so that the authentication token is part of the url. When the tab is closed and they open the website again, they will be asked to authenticate again :)
我们决定使用cookie less authentication,以便身份验证令牌成为url的一部分。当标签关闭并再次打开网站时,将要求他们再次进行身份验证:)
#2
3
I have not tried this myself, but I think the following approach should work:
我自己没试过,但我认为以下方法应该有效:
On the client side, you can use the OnUnload event of your document to launch a javascript function that would call your server-side signout method via ajax.
在客户端,您可以使用文档的OnUnload事件来启动javascript函数,该函数将通过ajax调用服务器端注销方法。
On the server side, you should have the action method call FormsAuthentication.SignOut() and Session.Abandon();
在服务器端,您应该使用action方法调用FormsAuthentication.SignOut()和Session.Abandon();
#3
3
A browser clears all Session scoped objects only when it is completely closed, and not when an individual tab is closed.
浏览器仅在完全关闭时清除所有会话作用域对象,而不是在单个选项卡关闭时清除。
One way could be to use a very low Session timeout and have a server-side script poll every few seconds to hit an object on the page. This will extend Session time again. So if a tab is closed, the script can't find the object thereby allowing the Session to timeout. One problem here is if your app is on a pretty high load, your app could DoS itself!
一种方法是使用非常低的会话超时,并且每隔几秒就进行一次服务器端脚本轮询以命中页面上的对象。这将再次延长会话时间。因此,如果选项卡已关闭,则脚本无法找到该对象,从而允许会话超时。这里的一个问题是,如果您的应用程序负载很高,您的应用程序可以自行执行!
#4
1
Actually there is no way we can LogOff the user when the user closes the browser tab. The only way for this is to check if the the user is authenticated when we call the LogOn method in the Controller.
实际上,当用户关闭浏览器选项卡时,我们无法登录用户。唯一的方法是在我们调用Controller中的LogOn方法时检查用户是否已通过身份验证。
This code is an example of how I do it in ASP.Net MVC 3.
这段代码是我在ASP.Net MVC 3中如何做的一个例子。
public ActionResult LogOn()
{
if (Request.IsAuthenticated)
{
FormsAuthentication.SignOut();
return RedirectToAction("Index","ProductManager");
}
return View();
}
#5
1
You can simply use session variables to automatically log off anybody trying to return to the secured destination page. Create a single session variable (integer or boolean) and in the onclick event of your login button reset it to a known state after acknowledging that the user has a valid credential then set or increment that session variable in the page_load event of the page your trying to secure. Test these values and signout the user if he is trying to return to the page or do nothing if otherwise. The code may look similar to this.
您可以简单地使用会话变量来自动注销任何试图返回到安全目标页面的人。创建单个会话变量(整数或布尔值),并在登录按钮的onclick事件中,在确认用户具有有效凭据后将其重置为已知状态,然后在页面的page_load事件中设置或增加该会话变量以确保。测试这些值并在用户尝试返回页面时注销用户,否则不执行任何操作。代码可能看起来与此类似。
protected void btnLogin_Click(object sender, EventArgs e)
{
if (IsAuthenticated == true)
Session["IsUserLoggedIn"] = (int)0;
}
protected void Page_Load(object sender, EventArgs e)
{
if (HttpContext.Current.User.Identity.IsAuthenticated == true)
{
if (Session["IsUserLoggedIn"] != null)
{
int IsUserLoggedIn = (int)Session["IsUserLoggedIn"];
if (IsUserLoggedIn <= 0)
{
Session["IsUserLoggedIn"] = (int)IsUserLoggedIn + 1;
}
else
{
Session["IsUserLoggedIn"] = (int)0;
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
}
}
}
else { Session["IsUserLoggedIn"] = (int)0; }
}
#1
6
We decided to use cookie less authentication so that the authentication token is part of the url. When the tab is closed and they open the website again, they will be asked to authenticate again :)
我们决定使用cookie less authentication,以便身份验证令牌成为url的一部分。当标签关闭并再次打开网站时,将要求他们再次进行身份验证:)
#2
3
I have not tried this myself, but I think the following approach should work:
我自己没试过,但我认为以下方法应该有效:
On the client side, you can use the OnUnload event of your document to launch a javascript function that would call your server-side signout method via ajax.
在客户端,您可以使用文档的OnUnload事件来启动javascript函数,该函数将通过ajax调用服务器端注销方法。
On the server side, you should have the action method call FormsAuthentication.SignOut() and Session.Abandon();
在服务器端,您应该使用action方法调用FormsAuthentication.SignOut()和Session.Abandon();
#3
3
A browser clears all Session scoped objects only when it is completely closed, and not when an individual tab is closed.
浏览器仅在完全关闭时清除所有会话作用域对象,而不是在单个选项卡关闭时清除。
One way could be to use a very low Session timeout and have a server-side script poll every few seconds to hit an object on the page. This will extend Session time again. So if a tab is closed, the script can't find the object thereby allowing the Session to timeout. One problem here is if your app is on a pretty high load, your app could DoS itself!
一种方法是使用非常低的会话超时,并且每隔几秒就进行一次服务器端脚本轮询以命中页面上的对象。这将再次延长会话时间。因此,如果选项卡已关闭,则脚本无法找到该对象,从而允许会话超时。这里的一个问题是,如果您的应用程序负载很高,您的应用程序可以自行执行!
#4
1
Actually there is no way we can LogOff the user when the user closes the browser tab. The only way for this is to check if the the user is authenticated when we call the LogOn method in the Controller.
实际上,当用户关闭浏览器选项卡时,我们无法登录用户。唯一的方法是在我们调用Controller中的LogOn方法时检查用户是否已通过身份验证。
This code is an example of how I do it in ASP.Net MVC 3.
这段代码是我在ASP.Net MVC 3中如何做的一个例子。
public ActionResult LogOn()
{
if (Request.IsAuthenticated)
{
FormsAuthentication.SignOut();
return RedirectToAction("Index","ProductManager");
}
return View();
}
#5
1
You can simply use session variables to automatically log off anybody trying to return to the secured destination page. Create a single session variable (integer or boolean) and in the onclick event of your login button reset it to a known state after acknowledging that the user has a valid credential then set or increment that session variable in the page_load event of the page your trying to secure. Test these values and signout the user if he is trying to return to the page or do nothing if otherwise. The code may look similar to this.
您可以简单地使用会话变量来自动注销任何试图返回到安全目标页面的人。创建单个会话变量(整数或布尔值),并在登录按钮的onclick事件中,在确认用户具有有效凭据后将其重置为已知状态,然后在页面的page_load事件中设置或增加该会话变量以确保。测试这些值并在用户尝试返回页面时注销用户,否则不执行任何操作。代码可能看起来与此类似。
protected void btnLogin_Click(object sender, EventArgs e)
{
if (IsAuthenticated == true)
Session["IsUserLoggedIn"] = (int)0;
}
protected void Page_Load(object sender, EventArgs e)
{
if (HttpContext.Current.User.Identity.IsAuthenticated == true)
{
if (Session["IsUserLoggedIn"] != null)
{
int IsUserLoggedIn = (int)Session["IsUserLoggedIn"];
if (IsUserLoggedIn <= 0)
{
Session["IsUserLoggedIn"] = (int)IsUserLoggedIn + 1;
}
else
{
Session["IsUserLoggedIn"] = (int)0;
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
}
}
}
else { Session["IsUserLoggedIn"] = (int)0; }
}