In
one of my projects, I used Form Authentication to authenticate users
against our Intranet domain by using LDAP. The good things
are users
don't have to remember another pair of user name and password, and form
authentication gives users ability to log out. Users
cannot
log out if we use Windows Integrated Authentication.
By
design, if users click something which they don't have permission, form
authentication will automatically redirect them to the login page, and
there users can log in with another account to access the desired
resource. However in some use cases, users don't like this
behaviour. They argue that it's rare that users have 2
accounts
in the system. So if they don't have permission, we don't
have to
redirect them to the login page. We just need to display some
messages indicating they need an admin to reassign them the proper
permission. Here I just have a workaround when users are
redirected to the login page, I will display some information on the
login page to explain why they are showed the login page.
Another user requirement is users want to kill
the session and log out when the browser is shut down. This
requirement looks simple but It took me a long time to work on it.
Even worse is so far I haven't gotten the proper way to
resolve
the problem. But I did get some workarounds in this stage.
When
I searched from the internet, most people said you couldn't log out
automatically. This is true in that the session is stored in the
server, when users close the browser, the browser normally just closes
and won't send a message to the server. So the server never
knows
the client is already gone.
But when you go to some bank
websites, closing browser will log you out immediately. When
you
go to the same site again, the site always asks for your credentials.
I don't know how exactly they are doing. However, I
think
they might use their own login mechanism. Users are always
directed to the login page when users first open the website.
When login page opens, the website always clear the old
session
and old credentials, so users have to enter their account again.
Since in the middle, they won't be redirected to the login
page,
so this clearing won't bring trouble.
I referenced this
blog and this
discussion and this discussion
to implement my workaround.
First created the Exit.aspx page. In the page load method, do
the following:
protected void Page_Load(object sender,
EventArgs e)
{
FormsAuthentication.SignOut();
Session.Abandon();
// clear
authentication cookie
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
"");
cookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie);
FormsAuthentication.RedirectToLoginPage();
}
The
code kills the session and logs out the user. I put the code
in
the page load event handler so this page will never be displayed.
Then
in the normal pages add the following javascript code. Since
I
have a master page for all my pages, I can put this code in my master
page so every page will be affected.
<script type="text/javascript" >
var closeTab = false;
window.onbeforeunload =
checkBrowserBefore;
window.onunload = checkBrowserUnload;
function checkBrowserBefore() {
if (window.event.clientY <= 0) {
closeTab = true;
return "Do you leave the application or stay?";
}
else
closeTab = false;
}
function checkBrowserUnload() {
if (closeTab)
window.location.href = "../Exit.aspx";
}
</script>
Notice
here I check 2 events onbeforeunload and onunload. When users
close the browser tab or browser, the onbeforeunload will fire.
In IE a message box will pop up asking user to confirm the
closing. If user clicks Yes, or in some new IE versions users
choose Leave the page, the onunload will fire. Otherwise the
onunload will not fire. That's the reason we have to check
both
events.
Again we should remember this is just a workaround
and not guaranteed. This workaound only works in IE, but not
even in all
IE versions. In IE7, it works when users close either the IE
tab or the entire IE browser. But in IE9, it works when users
close
the IE tab, but not working when users close the IE browser.
I haven't tested on other IE versions or other browsers.
Also it is not working when users kill the browser process in task
manager or use Alt + F4 to close it.