Empty instance code for session or cookie when security exits in ASP.

Overview:

Click on the site to exit, if only redirect to the login/out page, at this time in the browser address bar entered after the login page address such as the homepage, you will find that you can access without logging in. This so-called exit is not safe.

So how do you exit safely?

That is, click Exit to empty the corresponding session or cookie.

Empty the session code:

Session.clear (); Session.Abandon ();

Clear the correct code for the cookie (assuming the cookie name is called userinfo):

if (request.cookies["UserInfo"]! = null) {response.cookies["UserInfo"]. Expires = DateTime.Now.AddDays (-1);}

If you need to clear all cookies, traverse:

for (int i = 0; I <Response.Cookies.Count; i++) {response.cookies[i]. Expires = DateTime.Now.AddDays (-1);}

Clear the error code for the cookie (assuming the cookie name is called userinfo):

if (request.cookies["UserInfo"]! = null) {Response.Cookies.Remove ("UserInfo");}

You will find that after this processing, the cookie still exists, why is it not deleted? Let's go and see. NET HttpCookieCollection realize the source code:

public void Remove (string name) {if (this._response! = null) {This._response. Beforecookiecollectionchange ();} This. Removecookie (name); if (this._response! = null) {This._response. Oncookiecollectionchange ();}}

This action removes the cookie from the HttpCookieCollection collection, and when the server transmits the data to the client, it does not contain any information about the cookie that has been deleted at the service. The browser will not make any changes to it (the Remove method simply does not allow the server to send the deleted cookie to the client, regardless of the cookie left in the client). So the cookie will not be deleted when the situation appears.

Since Response.Cookies.Remove has no way to achieve the effect we need, why Microsoft is still there, because cookiecollection implement ICollection interface, Romove is the method that must be implemented, although it does not have much practical value. And the collection of romove should be such a way of implementation, but Microsoft in the writing of MSDN, the description is too unclear, it caused us no small trouble.

Here are a summary of several ways to achieve safe exit:

1). Exit with server controls such as Linkbutton,button

This approach is best handled by writing code that empties the session or cookie directly in the event of the server control.

2). Exit with HTML tags such as <a> logout </a>

For <a></a> This special tag can be implemented as follows: <a href= "logout.aspx" > Logout </a>, Page_ in logout.aspx Write the code to empty the session or cookie in the Load event.

For HTML tags such as <a></a>, you can use Js-ajax, or Jquery-ajax, in the corresponding client event of the HTML tag, in the generic handler (. ashx) You can write the code that clears the session or cookie.

For HTML tags such as <a></a>, you can also: Add a server control such as a button on the current page, include it with a div, and let it hide (note: Hidden is not visible and cannot be visible=false by server properties. Can only be implemented by setting the display:none of the Div, write the empty session or cookie code in the server event Cilck of the button The button control's Click event is then invoked with JS or jquery in the corresponding client event of the HTML tag (the button is hidden by the server property Visible=false. JS or jquery calls the button control's click event to expire).

