26  

There are a few things you can do to make sure the user is signed out when the browser is closed, but it depends on how you're setting the FormsAuthentication cookie:

在浏览器关闭时，您可以采取一些措施来确保用户已注销，但这取决于您如何设置FormsAuthentication cookie：

1. Use Cookieless=True.
2. 使用Cookieless = True。
3. Set a FormsAuthenticationTicket to not be persistent
4. 将FormsAuthenticationTicket设置为不持久
5. Use FormsAuthentication.SetAuthCookie to set Persistence to false
6. 使用FormsAuthentication.SetAuthCookie将Persistence设置为false
7. Use a JavaScript approach to remove the cookie on window.unload.
8. 使用JavaScript方法删除window.unload上的cookie。

Cookieless=True approach:

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="/Account/Login"
           protection="All"
           cookieless="true" //set to true   
  </authentication>
</system.web>

This appends the cookie value to the querystring in each request. The problem with this approach is it's not very secure and it messes with SEO. If a user sends anyone the URL they're using, that person can log in as the original user (probably not what you want). As far as 'messing with SEO', it causes the same page to look different to a googlebot based on what URL is passed in. Each QueryString change makes it a new URL, and if anyone uses this for posting a link; it will dilute the search results for a given actual URL.

这会将cookie值附加到每个请求中的查询字符串。这种方法的问题是它不是很安全，它与SEO混淆。如果用户向任何人发送他们正在使用的URL，则该人可以作为原始用户登录（可能不是您想要的）。至于“搞乱搜索引擎优化”，它会导致同一页面看起来与基于传入的URL的googlebot不同。每个QueryString更改使其成为一个新的URL，如果有人使用它来发布链接;它会稀释给定实际URL的搜索结果。

FormsAuthenticationTicket Approach

When you set an Authentication cookie for the user, set Persistent to False.

为用户设置身份验证cookie时，将Persistent设置为False。

If you're doing this in the FormsAuthentication.SetAuthCookie, this is default. If you use the FormsAuthenticationTicket class, you have to specify the cookie expiration.

如果您在FormsAuthentication.SetAuthCookie中执行此操作，则这是默认设置。如果使用FormsAuthenticationTicket类，则必须指定cookie过期。

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,                   //version
    "blah",              //Cookie Name 

);

FormsAuthentication.SetAuthCookie() Approach

By default, if you don't set persistent, the authentication cookie will expire at the end of the session (when the user closes the browser).

默认情况下，如果未设置持久性，则身份验证cookie将在会话结束时（用户关闭浏览器时）到期。

FormsAuthentication.SetAuthCookie("CookieValue", false); //second argument is persistent'

JavaScript approach:

There are no foolproof methods; all you can do is set the cookie expiration date to before now and hope the user's browser co-operates. If you really, really, really, want the cookie gone, you can always try a JavaScript approach, but that won't work if the user has JavaScript disabled.

没有万无一失的方法;您所能做的就是将Cookie过期日期设置为之前，并希望用户的浏览器合作。如果你真的，真的，真的，希望cookie消失，你总是可以尝试一种JavaScript方法，但如果用户禁用了JavaScript，这将无效。

window.addEventListener('unload', function(event) {
   document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
});

Other caveats

It also matters which browser you use. Chrome has the ability to run in the background, and that keeps Session Cookies around until their timeout is hit -- they are not dropped when the browser is closed (I found this out the hard way).

您使用哪种浏览器也很重要。 Chrome可以在后台运行，并且可以使会话Cookie保持不变，直到超时达到 - 当浏览器关闭时它们不会被丢弃（我发现这很难）。