2

I have a logout button on my site that triggers 

FormsAuthentication.SignOut()

forcing the need to login again even if one uses the back button on the browser or copy/pastes the URL. However if one closes the tab by the x button of the browser and there's another tab still open, if they copy/paste the URL the page will reopen without logging in. This is a serious security problem. If the browser closed completely by closing all tabs that doesn't happen. How can I prevent returning to the URL after closing the tab even if the browser hasen't been closed completely? Is there a way of catching a javascript OnClose event that will trigger FormsAuthentication.SignOut()? I'm working in asp.net c#.

nobody
  • 19,814
  • 17
  • 56
  • 77
Dov Miller
  • 1,958
  • 5
  • 34
  • 46
  • 1
    Are you concerned if the user disables javascript? – villecoder Apr 03 '12 at 12:51
  • 4
    How is this very common browser/user behaviour a "a serious security problem" ? – H H Apr 03 '12 at 12:52
  • What if the other tab they have open is *your website*? Your proposed solution would log them out, even though they are still on your site. – Andrew Barber Apr 03 '12 at 12:53
  • @Henk Holterman I have for example technicians work at client premises connecting to our site and if they close the tab as described someone unautherised may return to the site and get access to sesitive infomation. – Dov Miller Apr 03 '12 at 13:16

3 Answers3

1

That's a browser session problem.

A browser session (in fact, the cookie which hold the session id is deleted when the browser is closed) ends only when the browser is closed. It's why you are not logout when you close only one tab without closing the whole browser.

There's no reason to logout the user when he only close a tab. This behavior is not standard on the web and users can be disoriented if you do that.

But nevermind, if you want to do that, you can write a few javascript that drop a popup to warn the user he must logout before leaving. To do that use the unload or onbeforeunload event.

Look at here to see examples : How to create popup window when browser close

Community
  • 1
  • 1
Jerome Cance
  • 8,103
  • 12
  • 53
  • 106
0

You may use javascript on window onbeforeunload event to make a call to your website and log out the user.

Aliostad
  • 80,612
  • 21
  • 160
  • 208
0

Wait, the user has two tabs open on your site and they click "Logout" in the one, but not in the other? Well, then they haven't really logged out - the session is still active. I see how that can be a problem. But it is not a SECURITY problem, it's just the same user that remains logged in.

Anyway, you can create, for instance, a new session variable that you fill with a value whenever the user logs in, and that you delete when the user logs out. Then in every Page_Load, check this variable, and redirect to the login page if it doesn't exist.

Might be a bit of overkill, but it's all server side and you won't need Javascript to do it.

Mr Lister
  • 45,515
  • 15
  • 108
  • 150
  • My problem isn't 2 tabs open on my site, it's 1 on my site and 1 on another and when the tab of my site is closed you can get back in thru the other tab wihout loggging in. – Dov Miller Apr 03 '12 at 13:09
  • @DovMiller Hm, that shouldn't happen. The session should be ended then. Still, I think my solution should work. Can you try? – Mr Lister Apr 03 '12 at 13:20