We know that the Session of the web server is associated with the client browser thread. If the user closes the browser, the Session object created by the server will also become invalid. However, by default, IIS does not immediately invalidate the user's Session when handling it. Usually, it takes about 1 minute for the Session information to still be stored in the server's memory during this 1-minute period. If it is illegally hijacked and utilized, it can easily cause security issues. Therefore, in certain specific situations, it is necessary to immediately invalidate the Session after the user closes the page window/tab.
Here is a simple method:
- Immediately pop up a new page after the window is closed.
- Invalidate the Session content in the new page.
Issues that exist:
- The code for popping up a new window may be blocked by the browser. If there is no need to pop up a new window, you can send a request to the server using Ajax.
- If there is a server-side window close event, this part of the server-side code may not be executed.
Reference code, tested effective in IE.
Front-end:
testtesttest
Back-end ASPX page:
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="WindowClose.aspx.cs" Inherits="WindowClose" %>
<% Session.Abandon();%> // Call the method to invalidate the Session