Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C# ASP.NET Javascript
Hello everyone
I have search the internet to somehow determine the best practice to do this and can't seem to come up with anything except the following but if anyone has a better idea please feel free to comment.
 
Some background on project
This particular website has a sensitive client base and security is somewhat important. What I am trying to accomplish is a safe way to log off from the site. Now most people will use the logoff feature to close and end their session but from time to time we find someone that closes the browser without logging off. Since this website only allows you to be logged in from one machine at a time and checks the DB to see if your are currently logged in. If the user close the browser without logging off he does not set the db to logged off and then is required to go through an extension amount of security checks to log back in.
Without using cookies here what I am trying to accomplish.
 
On browser exit and only from the close browser control X I want a popup window to open that will log him off and then close. The popup is not a problem nor is the log off using body onunload and body on beforeunload. But somehow i need to control the unload to fire only when the browser is being closed not when people are navigating. Hopefully you guys get the drift where I am looking to go with this. I know it doable because my bank has it. But i haven't been able to find anything that works. Yet that is
 

Additonal Info
Maybe I need to go further into detials, After checking a little further I found that we are already verifing that the user is logged in as each page is loaded. I guess what the problem is that the user is only allowed to be online from one machine or session at a time. And if he ends that session correctly then is works great. But if as you said the browser crashes or they forget to log off and close the browser the user setting in the DB are not reset. So what I am trying to do is figure a way around that. Still looking for any suggestions.
Thanks again.. - Robert Adamo 1 sec ago
Posted 30-Jul-10 12:08pm
Edited 25-Sep-12 0:32am
v3
Comments
Roger Wright at 31-Jul-10 10:51am
   
Reason for my vote of 5
A very good question, and something I expect to need soon.
Tech Code Freak at 4-Aug-11 6:23am
   
Great Question!
My 5!
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

I don't know how feasible this may be, but it occurs to me that you might include a client-side script to periodically whack the server in some way - a "keep-alive" signal. If the browser is closed or crashes, this signal would fail and you could initiate a logoff.
  Permalink  
Comments
Robert Adamo at 31-Jul-10 16:35pm
   
Thanks Guys! You just gave me kind of an idea. Here's my plan. OK first I have created a service that checks every few min or so if user is logged in. This is simply accomplished by checking the DB to see if the website has changed the setting from false to true. Simple enough. Now here's my plan. If the service sees the user is logged in (true) it will reset it to false.(Logged off). While the user is surfing the website I have set a update panel on the master page to change the user setting back to true. This is triggered via a timer let say every few seconds or so. Therefore as long as the user keeps his browser open it will refresh the setting, Then within a minute of the browser crash or is closed. The service will reset the user setting back to logged off (false). This should accomplish both requirements 1) User can only be logged in from one machine or session at a time and 2) if the user leaves the site either by navigating away or closing or a crash the service will reset his account back to false. The only draw back I see is computing power and tying up the server with all these server side events. But please keep any and all ideas coming. Need to find some kind of solution asap. Comments are also welcome good or bad! The good ones help! The bad one keep you thinking.. Thanks again.
snorkie at 15-Sep-11 14:38pm
   
Instead of creating a service that constantly hits the database and check to see if a user is logged on, could you put that logic into the log in process. If a user is trying to log in and the database shows no activity, then auto log that expired session and start a new one. The benefit here is not processing the data for all users every couple of minutes. This would be a very focused query that minimizes resources and only runs when it is necessary.
 
Hogan
AspDotNetDev at 2-May-11 20:30pm
   
Friggin brilliant! Not sure why I didn't think of this when I actually needed it. I will be using this idea for a single sign-on project I'm working on. Thanks, Roger!
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 8

I would strongly recommend to follow CWE/SANS TOP 25 Most Dangerous Programming Errors as the best practice solution for your question
 
Solution reference at: http://www.sans.org/top25-software-errors/2009/[^]
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

It's impossible. You can't do anything that is guarenteed to work, always. Instead, you need to turn off caching in all your web pages, and make each page check to make sure the user is logged in, or redirect to the login page. There is NOTHING secure about any system that does not do this. Adding code to show a logoff message when the browser is closed is quite possible, I am sure, but it's also hackable. All that needs to happen, is for the event to not fire. For example, if the browser crashes.
  Permalink  
Comments
Robert Adamo at 30-Jul-10 17:43pm
   
Ya but won't turning off caching cause a major slow down server side? We're talking about somewhere around 10,000 hit per day on this site. But any and all ideas are welcome. Thanks
Robert Adamo at 30-Jul-10 17:53pm
   
Maybe I need to go further into detials, After checking a little further I found that we are already verifing that the user is logged in as each page is loaded. I guess what the problem is that the user is only allowed to be online from one machine or session at a time. And if he ends that session correctly then is works great. But if as you said the browser crashes or they forget to log off and close the browser the user setting in the DB are not reset. So what I am trying to do is figure a way around that. Still looking for any suggestions.
Thanks again..
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 7

Found this while lolling around probably it doesnt matter anymore but just for reference...
onbeforeunload Event (BODY, FRAMESET, window, ...)[^]
I was wondering why bloody Groove Shark[^] asks me if I want to leave the page or not.
  Permalink  
Comments
Madhu Sasi Nair at 17-Oct-13 8:07am
   
Thanks for the Link!!!
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 6

Hi there,
 
I don't know how well this works but when you close a browser it should end the session. When it does, if your using asp.net, the Global.asax class can help. There are methods in it that should be called when a session starts and ends which would allow you to force login/logout. Also, if you store the logged in variable in the session object, when the session ends the person is automatically logged out...they have to be :P
 
Hope this helps,
 
Ed Smile | :)
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 5

Hello,
 
I think you can find help towards solving this issue your self with a little help from another post already on this website....
 

Detect browser closing through clicks on the [X] button
 

Good luck.
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 9

<script type="text/javascript">
    debugger;
    function doUnload() {
        if (window.event.clientX < 0 && window.event.clientY < 0) {
            var objconfirm = confirm("Would you like to save changes made?")
            if (objconfirm == true) {
                document.getElementById("<%=hdtoSaveData.ClientID %>").value = "PageClosed";
                document.form1.submit();
                alert('Data Saved Sucessfully');
            }
        }
    }
 
   
<body onunload="doUnload()" bgcolor="#ff9966">
 
in the code behind:
 
 protected void Page_Load(object sender, EventArgs e)
    {
       
         if (hdtoSaveData.Value == "PageClosed")
        {
         
            save();
        }
 
    }
 
please reply if this works it works fine for me.this will save on closing the browser.
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 10

On design page write
onbeforeunload = javascript function();
then call the webservice or pagemethod through jquery ajax method
and In the codebehind method query database and update the login table.
This method will definatly work.. I had used it..
  Permalink  
Comments
Aman.A at 18-Oct-12 8:16am
   
Please don't reply to such old threads! There have been better solution than yours already posted and besides, everytime someone searches for Top Rated questions, it creates confusion to see that someone updated a thread which is actually really old.
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 11

Hi friend,
 
Actually, I looked at all the solutions and no doubt they all are great. But just a question?
Is it really necessary for the system to keep the person logged in even if he has not been doing any considerable work. For example, I opened up the site, logged into it and then I started surfing other sites and didn't look at it for a pretty good amount of time. What happened is that after an hour or so, I logged back in and Boom, I got the message
 Your Session expired : Please log in again 
How about time based session expiry?
 
Next point. Have you listened about heartbeat. I have an idea here, pretty simple, if it is required for the user to remain logged in i.e. session expiry cannot be used, then, What I have thought of is a simple heartbeat. Obviously, one has to do pretty complex programming as keeping it simple this time will make it vulnerable to easy hacking.
Now, the concept is, While, the user is logged in, it will keep sending a heartbeat signal at a particular period that is set so that it balances between the server load and the wait time (Wait time is : if a user closed the browser and then get to know about some important notification, he has to re-login and he used his phone to log in and it should not show him, already registered on another device.
 
Alright, Now, what happens is if the server doesn't receive any heartbeat for the given time, it will clear the user's session.
Well that was just my idea, and I am not sure if it is easy on server load and other parameters etc. But, you can give it a second thought if you like.
 
Hope that I was of some good help to you. Consider rating my answer. Smile | :)
 
With Regards
Tushar Srivastava
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 587
1 Sergey Alexandrovich Kryukov 544
2 Maciej Los 325
3 DamithSL 223
4 Mathew Soji 195
0 OriginalGriff 7,356
1 Sergey Alexandrovich Kryukov 6,712
2 DamithSL 5,461
3 Manas Bhardwaj 4,916
4 Maciej Los 4,475


Advertise | Privacy | Mobile
Web03 | 2.8.1411023.1 | Last Updated 22 Dec 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100