Click here to Skip to main content
14,869,580 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I want to clear session Id of a logged in user on closing a browser window of the same after Login in asp.net with c# 3.5 server side. After logging in with the credentials , if in case the browser window is closed the session must get cleared. Browser used is Internet Explorer.

What I have tried:

I am able to clear the session using Session.abandon() on clicking log out button. But how to clear the session id of the logged in user if in case the browser window is being closed.
Posted
Updated 6-Jul-17 7:55am
v3

That's not possible as the server doesn't know the user has closed their browser. If the browser has closed then the session cookie is gone so the session can no longer be expired and will timeout anyway, that's just how sessions work.
   
There are some interesting articles on using Javascript to detect when the tab/browser is closed. So if you could try using some Javascript on your web page instead of using C# in the backend? One of the articles I found was on Stack Overflow javascript - Trying to detect browser close event - Stack Overflow[^]
   
Comments
Richard Deeming 6-Jul-17 12:00pm
   
The problem is, all of those solutions rely on the onbeforeunload event, which fires every time you navigate away from the current page. That includes closing the browser, closing the browser tab, navigating to a different site, navigating to a different page in the same site, or reloading the current page.

There's no reliable way to detect when the browser window / tab is actually being closed. And even if there was, there'd be no way of knowing whether your site was open on any other window or tab at the time.

This is just one of those problems that keeps getting posted, but doesn't have a real solution. You just have to stick with the default behaviour, and wait for the session to time out.
HeatherAtWork 6-Jul-17 12:28pm
   
I am not sure of the OP's implementation but it could be a security issue as the reason for timing out the session. It is a risk if the session is still valid after the user closes the browser and different user with different rights logs in.

I agree the javascript route detect when the tab has "lost focus" is far from ideal, but waiting for a time-out may not be either. Maybe a prompt when it has lost focus for whatever reason asking user to logout before leaving browser would be a workaround? It would get annoying to the user - but if he key is security it may be a way to be more secure?

The funcionality would be similar to when you are editing a Facebook post or comment and try to browse away from the page - the user could be prompted. Again this would get annoying. There are some other solutions that have been presented as well to determine refresh or close.

(I never like to say things are NOT possible, there is always some way to make things work in some way) :)

Richard Deeming 6-Jul-17 12:32pm
   
But if a different user logs in, and still has the same session, then the browser was never closed. :)

Unless you're talking about an attacker who's intercepted the session and authentication cookies, and is now using those cookies to make their own requests against the user's account? That's a much more interesting problem.
HeatherAtWork 6-Jul-17 13:03pm
   
(I actually meant logs into the computer in a shared environment sorry about the confusion) The session ends with a timeout however not browser close, so if a user gets on the computer after the first user that closed but did not log ou (even if cookies are cleared) there is still an active session. So if they go to the same site they will see the other users "view".
Richard Deeming 6-Jul-17 13:08pm
   
But in any sane system, the server's session is tied to the browser using a "session cookie" (aka: temporary cookie).

Session cookies are deleted as soon as the browser window is closed. So even on a shared computer, with two users using the same OS login, once the first user closes the browser, the second user will get a completely different session.

(If they're using different OS logins, then they won't share any cookies. So there's still no way for the second user to grab the first user's session.)

The only way to pick up the previous user's session is if the browser was left open. Which would probably mean that the first user is still logged in, since it's common practice to abandon the session when a user logs out.
HeatherAtWork 6-Jul-17 13:53pm
   
I believe you are right, but we've gone beyond the scope of the original question :)

I think there is a little bit of quirkiness there when it comes to sessions especially when you are talking about shared environments (complete with active directory and single SSO), cookies, tabs, browsers... For example on a system, I currently use even when cookies are deleted and a tab is closed if I open a certain site again I am still logged in if I only close tab or even close the browser window. THAT is in Chrome and I do have it set to not delete session when I close the browser (Keep local data only until you quit your browser is turned OFF). Of course, I had another browser user in an another window still open so it's ALL browser windows... so logging out of windows would have exited all browser and closed the session :)

So again - you are right. but I still believe in not saying things can't be done. There is no "solution" but there are multiple (underwhelming) workarounds.

Also - thanks for the great discussion :)

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900