i want to know when account logout without logout button click.
actually i want to manage dashboard. with some events like login, logout with it's activity date and time.
so if any user login so i will entry for login.
and if any user direct close browser so how can i manage logout entry in database.
You cannot reliably detect the user closing the browser or leaving the website.
The way this is typically done is by measuring inactivity period - if the user has had no activity for, say, 15 minutes, assume that he has left.
The browser will fire a clientside event when it is closing, you should then be able to send a request to your server using javascript.
But as driis said, it is not 100% reliable.
http://aspalliance.com/1294_codesnip_handle_browser_close_event_on_the_serverside
EDIT: Sorry, that article was not nearly as useful as i thought.
Related
i want to fire an event in asp.net when my user session has been expired or i close browser.
actually i want to update some thing in database according to login user when he/she leave the site.
Unfortunately this question is very close to "I want to save my data after computer is turned off"... Very hard and not predictable.
Session termination events are not fired for out of process sessions
Users simply close browsers, logout or turn of machines without any cahnce to notify your site
or even worse - instead of watching ads and actively looking at your site they just leave browser open and go drink, sleep...
Or browsers can crash
Now sometimes you can try to handle unload events for browser... you may have enough time to send response sometime.
Probably most reliable solution is to have heartbeat requests from browser and mark users as active this way (in custom database/storage). Periodically check and mark all users that did not send heartbeat requests for some time...
See the session state events documentation here: http://msdn.microsoft.com/en-us/library/ms178583.aspx
I've got a strange one to solve today. A client needs their site to not allow people being logged in, going to a different site, then still being logged in if they hit the back button in their browser.
Simple I thought... until I couldn't find a page event that got fired when the back button was pressed from another site.
I thought of just using JavaScript and working with the referrer object, but this won't achieve my goal as I need to access the .NET Membership system and log the user out of their session.
Has anyone got around this problem? If so, how? Any help would be appreciated, potentially I'm just missing something that I could achieve in the Global.asax? If it helps, I'm using .NET 4.5 / C#.
Reasoning:
Due to, say, if one operator went and left their machine unlocked, visited Google, then another operator went on the same machine maliciously and hit the back button to gain access to that operator's logon (the client is very security cautious)
So you would like to log out user whenever they leave your site? You cah have global javascript that sends a request to a server every minute saying "Hey, server, I'm here! I'm user Joe Blogs, i'm still on the site". If the server does not get this message from a user longer than a minute, log them out.
Overriding back button is just not going to work. What would you do if user opens up another tab/window and goes to google there?
Update:
you can try using .unload() from jquery to catch page leave. And destroy the cookies on that event.
However, when the machine is just left unattended, nothing stop malicious user to go grab the access.
Update 2 you can just set very short session life! if user is inactive (or left the page) - log them out. To prevent possible annoyance for logging out when user looking on the screen for too long (fills in very long form) - make javascript to do regular (every 5 minutes) to a server to a dummy page - to keep the session live while the page is loaded.
Here is the source: Force users to logout when they leave my php website?
There is perhaps a "magical" solution for the problem but the key thing here is in the reasoning: Operator A is not allowed to use the site with the credentials of Operator B.
From a client and server perspective there is no way that the server or client (browser) can tell that persons changed seats at whatever moment in time.
That's the problem you have to solve.
But perhaps implementing face-detection is a little over the top?
If you were designing the site from the ground up you can do this by adding a header to specify that you do not want caching.
Cache-Control: no-cache
Pragma: no-cache
But you would then have to have all your site access through a single page. The page need not be displayed the same and can contain different controls etc, but it's content would be decided by POST parameters rather than through the normal ASP.NET model.
e.g. Default.aspx and to navigate you would POST back at least two parameters. One would be the page to navigate to, and another would be an unpredictable token.
e.g. Token=3Zd2f4O61Z&Page=OrderHistory
Upon each page load you would validate the token and page title combination, and if OK you would display the page and generate new post-back data links for any navigation or actions you would like the user to take at that point. If the user were to try accessing the same page with the old token, it would expire the session and then log out the user. This is the most secure way to do this as then clicking the back button would prompt the user to resubmit their post data again. If OK was clicked, the browser would submit it but the server would recognise that the token was now invalid (as it has already been used, and discarded by the server) and then log out the user.
This method also protects against CSRF as you are validating a token in the payload of each request rather than just checking cookie values.
I know this won't help you unless you can reengineer your site, but I thought I'd add this solution in case anyone lands here with the requirement from the beginning.
You can have a landing page of your site to contain nothing by a JS redirect to reals homepage this way when person hits back button he will go back first to the damy redirecting page that move him back to home page.
But it will be possible to override this if user chooses to skip number of pages at once or just opens another window.
Could you provide further information about why exactly is its needed ? I think in your case, there is a possible solution of may be having a separate Database table or field for marking or flagging such users who have been redirected to another site just treat them as signed off and then once they hit your sites URL you can probably check for the flag and sign them back in, automatically.
JQuery unload() function will solve your problems as wel as the javascript window.onbeforeunload...
I am building a chat system in an asp.net MVC website, if the user has no actions on the website for more than 2 minutes I will set his status to away.
My question is, how to know if the user is offline, offline means he closed the website or signer out.
I knew that there is an isOnline property in the Membership classes but I am not using Membership for secure login in this website.
Is there a way to know if the user is online or not,
Or how this membership.IsOnline is implemented to make the same in my code.
To know if the user is on the site, you could send an AJAX request every minute from the client to the server and server-side check the time between the received requests to see if he is no longer on the page.
If you want to the detect if the user is "AFK" but might still have the website opened on his browser, you'll have to add global events for key presses, mouse presses and mouse move, and only send the AJAX request each minute if there has been one of those event fired in the last minute.
I found out an issue at my client's site regarding single sign off. for ease of use, i keep the client site name simple.
We developed site1.com using ektron 8.2sp2 framework and when you log into www.site1.com, you can go into "My Page" link, which takes you to www.site2.site1.com, which is a single sign-on.
This page has a log out button, when clicked, it logs off the user from www.site2.site1.com and you have a 'home' link, which takes you to www.site1.com, to log off from there too.
But, if the user just logs off from www.site2.site1.com and closes the browser, and reopens the browser to go to www.site1.com, it takes the user to the login page of www.site2.site1.com
I am trying to figure out the best way to log off the user from www.site1.com also, when the user logs off from www.site2.site1.com
I dont have access to the source files for www.site2.site1.com So, could some one help me how i can redirect the user to logoff from www.site1.com ?
This happens only in IE 8 and Firefox 3.6 but chrome behaves wonderfully.
Thanks in advance.
i guess, the answer to this is FormsAuthentication.SignOut(); will take care of it.
What is the best way to determine "user logout" on IIS server in C#/Asp.Net?
I have an application where the logged in users can initiate long running activities on the server. Those activities need to be terminated when the user logs out.
It is not a problem when the user clicks on the logout, but how do I determine that the user has logged out for example in cases like the user's browser crash, user looses his connection etc.
Make the application session timeout short and implement some kind of polling (AJAX request, for example) to the web application.
The polling takes care of maintaining the session and if the browser is closed without appropriate logout or it crashes, it ceases and the session times out soon.
This is not possible. The browser is running on a different computer, and will not inform the server when it crashes!
Some online banks like HSBC implement something like this by simply having a popup window appear after 1 minute, where no user response (e.g. clicking an OK button) closes the window and logs them out.
The technique I'd prefer is a JavaScript timer that redirects to the logout and then login page, firing an AJAX call to the server first to terminate your long running process for that user. Relying on Session End can give a bit of an annoying user experience in my view.