asp.net the instance code to empty the session or cookie when the security exits in the. Practical tips

Overview:

Click to exit the site, if just redirect to the login/out page, at this point in the browser address bar to enter a page after the address of the homepage, such as home, you will find that you can access without logging on. This so-called exit is not safe.

So how do you safely quit?

That is, click the exit and then empty the corresponding session or cookie.

To clear the session code:

Session.clear ();
Session.Abandon ();

Clears the correct code for the cookie (assuming the cookie name is called userinfo):

if (request.cookies["UserInfo"]!= null)
{
response.cookies["UserInfo"]. Expires = DateTime.Now.AddDays ( -1);
}

If you need to clear all cookies, traverse:

for (int i = 0; I <Response.Cookies.Count; i++)
{
response.cookies[i]. Expires = DateTime.Now.AddDays ( -1);
}

Clears the error code for the cookie (assuming the cookie name is called userinfo):

if (request.cookies["UserInfo"]!= null)
{
Response.Cookies.Remove ("UserInfo");
}

You will find that, after this processing, the cookie still exists, why is it not deleted? Let's go and have a look. NET HttpCookieCollection to realize the source code:

public void Remove (string name)
{
if (this._response!= null)
{
this._response. Beforecookiecollectionchange ();
}
This. Removecookie (name);
if (this._response!= null)
{
this._response. Oncookiecollectionchange ();
}

This operation removes cookies from the HttpCookieCollection collection, and when the server transmits the data to the client, it does not contain any information about the cookie that has been removed from the service side. The browser will not make any changes to it (the Remove method simply does not allow the server to send the deleted cookie to the client and does not leave the cookie in the client). So the cookie does not drop out of the situation appears.

Since Response.Cookies.Remove has no way to achieve the results we need, why Microsoft has left, because cookiecollection implement ICollection interface, Romove is the method that must be implemented, although it is not much practical value. And the collection of romove should be such a way to achieve, but Microsoft in the writing MSDN, the description is too unclear, causing us a lot of trouble.

Here is a summary of several ways to implement a secure exit:

1). Implement exit with server control such as Linkbutton,button

This approach is best handled by writing code that empties the session or cookie directly in the server control's corresponding event.

2). Exit with HTML tags such as <a> logoff </a>

For <a></a> This special tag, you can do this by <a href="logout.aspx">注销</a> writing code that empties the session or cookie in the logout.aspx Page_Load event.

For HTML tags such as <a></a>, you can use Js-ajax, or Jquery-ajax, in the corresponding client event of the HTML tag, in the general handler (. ashx) You can write the code that clears the session or cookie.

For HTML tags like <a></a>, you can also: Add a server control such as a button to the current page, include it with a div, and hide it (note: Hidden is invisible and cannot be visible=false by server properties). Can only be implemented by setting the Div's display:none; write the code to empty the session or cookie in the server event Cilck of the button , and then invoke the Click event of the button control with JS or jquery in the corresponding client event of the HTML tag (the button is hidden by the server property Visible=false setting). JS or jquery calls the button control's click event to fail.

The above is a small set to introduce the ASP.net in the safe exit when the session or cookies to empty the instance code, hope to help everyone, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!