Force log off on browser exit

Question

4.97/5 (30 votes)

See more:

Hello everyone
I have search the internet to somehow determine the best practice to do this and can't seem to come up with anything except the following but if anyone has a better idea please feel free to comment.

Some background on project
This particular website has a sensitive client base and security is somewhat important. What I am trying to accomplish is a safe way to log off from the site. Now most people will use the logoff feature to close and end their session but from time to time we find someone that closes the browser without logging off. Since this website only allows you to be logged in from one machine at a time and checks the DB to see if your are currently logged in. If the user close the browser without logging off he does not set the db to logged off and then is required to go through an extension amount of security checks to log back in.
Without using cookies here what I am trying to accomplish.

On browser exit and only from the close browser control X I want a popup window to open that will log him off and then close. The popup is not a problem nor is the log off using body onunload and body on beforeunload. But somehow i need to control the unload to fire only when the browser is being closed not when people are navigating. Hopefully you guys get the drift where I am looking to go with this. I know it doable because my bank has it. But i haven't been able to find anything that works. Yet that is

Additonal Info
Maybe I need to go further into detials, After checking a little further I found that we are already verifing that the user is logged in as each page is loaded. I guess what the problem is that the user is only allowed to be online from one machine or session at a time. And if he ends that session correctly then is works great. But if as you said the browser crashes or they forget to log off and close the browser the user setting in the DB are not reset. So what I am trying to do is figure a way around that. Still looking for any suggestions.
Thanks again.. - Robert Adamo 1 sec ago

Posted 30-Jul-10 11:08am

Robert Adamo

Updated 24-Sep-12 23:32pm

Ganesh Nikam

v3

Add a Solution

Comments

Roger Wright 31-Jul-10 10:51am

Reason for my vote of 5
A very good question, and something I expect to need soon.

Tech Code Freak 4-Aug-11 6:23am

Great Question!
My 5!

9 solutions

Solution 5

Hello,

I think you can find help towards solving this issue your self with a little help from another post already on this website....

Detect browser closing through clicks on the [X] button

Good luck.

Posted 15-Feb-11 13:10pm

Bloch Zahir

Solution 9

XML

<script type="text/javascript">
    debugger;
    function doUnload() {
        if (window.event.clientX < 0 && window.event.clientY < 0) {
            var objconfirm = confirm("Would you like to save changes made?")
            if (objconfirm == true) {
                document.getElementById("<%=hdtoSaveData.ClientID %>").value = "PageClosed";
                document.form1.submit();
                alert('Data Saved Sucessfully');
            }
        }
    }

   
<body onunload="doUnload()" bgcolor="#ff9966">

in the code behind:

 protected void Page_Load(object sender, EventArgs e)
    {
       
         if (hdtoSaveData.Value == "PageClosed")
        {
         
            save();
        }

    }

please reply if this works it works fine for me.this will save on closing the browser.

Posted 4-Oct-11 23:10pm

sajithnet

Solution 10

On design page write

onbeforeunload = javascript function();

then call the webservice or pagemethod through jquery ajax method
and In the codebehind method query database and update the login table.
This method will definatly work.. I had used it..

Posted 17-Oct-12 20:31pm

manak chand

Comments

I.explore.code 18-Oct-12 8:16am

Please don't reply to such old threads! There have been better solution than yours already posted and besides, everytime someone searches for Top Rated questions, it creates confusion to see that someone updated a thread which is actually really old.

Solution 11

Hi friend,

Actually, I looked at all the solutions and no doubt they all are great. But just a question?
Is it really necessary for the system to keep the person logged in even if he has not been doing any considerable work. For example, I opened up the site, logged into it and then I started surfing other sites and didn't look at it for a pretty good amount of time. What happened is that after an hour or so, I logged back in and Boom, I got the message

Your Session expired : Please log in again

How about time based session expiry?

Next point. Have you listened about heartbeat. I have an idea here, pretty simple, if it is required for the user to remain logged in i.e. session expiry cannot be used, then, What I have thought of is a simple heartbeat. Obviously, one has to do pretty complex programming as keeping it simple this time will make it vulnerable to easy hacking.
Now, the concept is, While, the user is logged in, it will keep sending a heartbeat signal at a particular period that is set so that it balances between the server load and the wait time (Wait time is : if a user closed the browser and then get to know about some important notification, he has to re-login and he used his phone to log in and it should not show him, already registered on another device.

Alright, Now, what happens is if the server doesn't receive any heartbeat for the given time, it will clear the user's session.
Well that was just my idea, and I am not sure if it is easy on server load and other parameters etc. But, you can give it a second thought if you like.

Hope that I was of some good help to you. Consider rating my answer. :)

With Regards
Tushar Srivastava

Posted 22-Dec-13 5:47am

Er. Tushar Srivastava

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Roger Wright · Accepted Answer · 2010-07-30T19:59:00

Solution 3

I don't know how feasible this may be, but it occurs to me that you might include a client-side script to periodically whack the server in some way - a "keep-alive" signal. If the browser is closed or crashes, this signal would fail and you could initiate a logoff.

Posted 30-Jul-10 19:59pm

Roger Wright

Comments

Robert Adamo 31-Jul-10 16:35pm

Thanks Guys! You just gave me kind of an idea. Here's my plan. OK first I have created a service that checks every few min or so if user is logged in. This is simply accomplished by checking the DB to see if the website has changed the setting from false to true. Simple enough. Now here's my plan. If the service sees the user is logged in (true) it will reset it to false.(Logged off). While the user is surfing the website I have set a update panel on the master page to change the user setting back to true. This is triggered via a timer let say every few seconds or so. Therefore as long as the user keeps his browser open it will refresh the setting, Then within a minute of the browser crash or is closed. The service will reset the user setting back to logged off (false). This should accomplish both requirements 1) User can only be logged in from one machine or session at a time and 2) if the user leaves the site either by navigating away or closing or a crash the service will reset his account back to false. The only draw back I see is computing power and tying up the server with all these server side events. But please keep any and all ideas coming. Need to find some kind of solution asap. Comments are also welcome good or bad! The good ones help! The bad one keep you thinking.. Thanks again.

snorkie 15-Sep-11 14:38pm

Instead of creating a service that constantly hits the database and check to see if a user is logged on, could you put that logic into the log in process. If a user is trying to log in and the database shows no activity, then auto log that expired session and start a new one. The benefit here is not processing the data for all users every couple of minutes. This would be a very focused query that minimizes resources and only runs when it is necessary.

Hogan

AspDotNetDev 2-May-11 20:30pm

Friggin brilliant! Not sure why I didn't think of this when I actually needed it. I will be using this idea for a single sign-on project I'm working on. Thanks, Roger!

Ganesan Senthilvel · Accepted Answer · 2011-08-03T22:48:00

Solution 8

I would strongly recommend to follow CWE/SANS TOP 25 Most Dangerous Programming Errors as the best practice solution for your question

Solution reference at: http://www.sans.org/top25-software-errors/2009/[^]

Posted 3-Aug-11 22:48pm

Ganesan Senthilvel

Christian Graus · Accepted Answer · 2010-07-30T11:30:00

Solution 1

It's impossible. You can't do anything that is guarenteed to work, always. Instead, you need to turn off caching in all your web pages, and make each page check to make sure the user is logged in, or redirect to the login page. There is NOTHING secure about any system that does not do this. Adding code to show a logoff message when the browser is closed is quite possible, I am sure, but it's also hackable. All that needs to happen, is for the event to not fire. For example, if the browser crashes.

Posted 30-Jul-10 11:30am

Christian Graus

Comments

Robert Adamo 30-Jul-10 17:43pm

Ya but won't turning off caching cause a major slow down server side? We're talking about somewhere around 10,000 hit per day on this site. But any and all ideas are welcome. Thanks

Robert Adamo 30-Jul-10 17:53pm

Maybe I need to go further into detials, After checking a little further I found that we are already verifing that the user is logged in as each page is loaded. I guess what the problem is that the user is only allowed to be online from one machine or session at a time. And if he ends that session correctly then is works great. But if as you said the browser crashes or they forget to log off and close the browser the user setting in the DB are not reset. So what I am trying to do is figure a way around that. Still looking for any suggestions.
Thanks again..

yesotaso · Accepted Answer · 2011-05-02T12:44:00

Solution 7

Found this while lolling around probably it doesnt matter anymore but just for reference...
onbeforeunload Event (BODY, FRAMESET, window, ...)[^]
I was wondering why bloody Groove Shark[^] asks me if I want to leave the page or not.

Posted 2-May-11 12:44pm

yesotaso

Comments

Madhu Nair 17-Oct-13 8:07am

Thanks for the Link!!!

Ed Nutting · Accepted Answer · 2011-02-20T00:01:00

Hi there,

I don't know how well this works but when you close a browser it should end the session. When it does, if your using asp.net, the Global.asax class can help. There are methods in it that should be called when a session starts and ends which would allow you to force login/logout. Also, if you store the logged in variable in the session object, when the session ends the person is automatically logged out...they have to be :P

Hope this helps,

Ed :)

Force log off on browser exit

9 solutions

Solution 3

Solution 8

Solution 1

Solution 7

Solution 6

Solution 5

Solution 9

Solution 10

Solution 11

Add your solution here

Preview 0

Existing Members

...or Join us