Im developing a small web aplication, used in a shared computer.
When the user closes the browser window, i want the session and the authentication to be deleted.
In the Login page i use something like this to authenticate the user:
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1,txtUser.Text,
DateTime.Now,
DateTime.Now.AddMinutes(5),
false,"");
string encTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
HttpContext.Current.Response.Cookies.Add(faCookie);
string redirectUrl = FormsAuthentication.GetRedirectUrl(txtUser.Text, false);
HttpContext.Current.Response.Redirect(redirectUrl);
As you can see, i have set the “isPersistent” variable to false.
This seems to work on Chrome (haven’t tested on IE), however, when i run the app on Firefox, with multiple tabs activated, if i close the browser and open again, im still authenticated, and the cookie is still there!
Its really strange, beacause the cookie should be removed on closing… Is this a bug from Firefox, when you have multiple tabs opened? How can i fix this?
Help is much appreciated!
Thanks in advance
Thanks for the tips guys, but im sure im closing the browser, without any more Firefox related windows opened.
By reading this, it seems that this is the default browser behavior, choosed by the Firefox 3 designers…
Seems it stores on the disk cookies suposed to be stored on RAM, to recover the tabs when you open the browser again. So if you want to session to be deleted, you need to close all tabs, and then the browser…
I think this can cause some flaws regarding authentication security, for example, someone is using the application, finish the job and leaves, by closing the browser, and not the tabs. Since the computer is shared, right after another user opens the browser, and he will see all the tabs, with the previous session restored…