1

I have some problems with getting my website to log out the authenticated user automatically when the session ends (the user closes the browser).

This is what I have in my web.config:

<authentication mode="Forms">
    <forms name="AuthCookie" protection="All" loginUrl="~/default.aspx" path="/" cookieless="UseCookies" timeout="2592000"/>
</authentication>

<authorization>
    <allow users="?" />
</authorization>

<membership defaultProvider="ASPPGSqlMembershipProvider" userIsOnlineTimeWindow="20">
    <providers>
        <clear />
        <add name="AspNetSqlMemberShipProvider" applicationName="umbraco4" type="System.Web.Security.SqlMembershipProvider" connectionStringName="UmbracoDb" requiresUniqueEmail="true" enablePasswordReset="true" enablePasswordRetrieval="false"/>
        <add name="UsersMembershipProvider" applicationName="umbraco4" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" />
        <add name="ASPPGSqlMembershipProvider" applicationName="umbraco4"
            passwordStrengthRegularExpression="" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="false"
            requiresUniqueEmail="true"
            forumUpfileFolderPath="D:\www\files"
            type="ASPPG.MembershipProviders.ASPPGSqlMembershipProvider, ASPPGSiteIntegrationPackage"/>
    </providers>
</membership>

This is how I log in the user:

if (Membership.ValidateUser(txtUserName.Text, txtPasssword.Text)) {
    HttpCookie cookie = FormsAuthentication.GetAuthCookie(txtUserName.Text, false);
    cookie.Expires = DateTime.Now.AddDays(1);
    cookie.Domain = ConfigurationManager.AppSettings["Level2DomainName"];
    HttpContext.Current.Response.Cookies.Add(cookie);
    Response.Redirect(Request.Url.ToString());
}

When I close the browser, the user is still logged in. How do I make the website forget the user through an option, so the user himself can decide if the website should remember or not?

Thanks in advance :)

M

kervin
  • 11,672
  • 5
  • 42
  • 59
EmKay
  • 1,089
  • 1
  • 13
  • 28

1 Answers1

5

Have you tried NOT setting the cookie.Expires or at least setting it to DateTime.MinValue for user's that don't want to be 'remembered'?

From MSDN:

Setting the Expires property to MinValue makes this a session Cookie, which is its default value.

Kelsey
  • 47,246
  • 16
  • 124
  • 162
  • You are citing from the System.Net namespace, but it appears the question is in in the System.Web namespace. I don't know how they relate, but I did not find a similar comment about cookie.Expires in the System.Web namespace. – abelenky Sep 09 '10 at 15:35
  • @abelenky I couldn't find a good citation from System.Web so I did a quick search and found it in System.Web. I am not sure why the remark is not included in both spots. – Kelsey Sep 09 '10 at 15:46
  • @able - a cookie is a cookie, be it a Cookie or HttpCookie. only the wrapper changed, not the underlying implementation and behavior in regards to ASP.net forms authentication. – Sky Sanders Sep 23 '10 at 04:17