Asp. net Instance code that empties Session or Cookie on safe exit

Overview:

Click exit in the website. If you only redirect to the login/exit page, enter the address of a page after logging in in the browser address bar, such as the homepage, and you will find that you can access it without logging in. This so-called exit is not safe.

So how to exit safely?

That is, click Exit and empty the corresponding Session or Cookie.

Empty the code of Session:

Session.Clear();
Session.Abandon();

Clear the correct code for Cookie (assuming the name of Cookie is UserInfo):

if (Request.Cookies["UserInfo"] != null)
{
Response.Cookies["UserInfo"].Expires = DateTime.Now.AddDays(-1);
}

If you need to clear all Cookie, traverse:

for (int i = 0; i <Response.Cookies.Count; i++)
{
Response.Cookies[i].Expires = DateTime.Now.AddDays(-1);
}

Clear the error code for Cookie (assuming the name of Cookie is UserInfo):

if (Request.Cookies["UserInfo"] != null)
{
Response.Cookies.Remove("UserInfo");
}

You will find that Cookie still exists after this treatment. Why can't it be deleted? Let's take a look at. HttpCookieCollection HttpCookieCollection implementation source code:

public void Remove(string name)
{
if (this._response != null)
{
this._response.BeforeCookieCollectionChange();
}
this.RemoveCookie(name);
if (this._response != null)
{
this._response.OnCookieCollectionChange();
}
}

This operation deletes cookie from the collection of HttpCookieCollection. When the server transmits data to the client, it will not contain any information about the Cookie that has been deleted on the server side, and the browser will not make any changes to it (remove method only prevents the server from sending the deleted cookie to the client, regardless of whether the cookie remains in the client). Therefore, cookie can't be deleted.

Since Response. Cookies. Remove can't achieve the effect we need, why does Microsoft keep it? Because CookieCollection implements ICollection interface, romove is a necessary method, although it doesn't have much practical value. The collection of romove should also be such an implementation, but when Microsoft wrote MSDN, the description was too unclear, which caused us a lot of trouble.

Here are several ways to achieve safe exit:

1). Exit with server controls such as Linkbutton and Button

This is the best way to handle it: write the code to empty Session or Cookie directly in the event corresponding to the server control.

2). Use < a > Logoff < /a > Wait for HTML tag to exit

For < a > < /a > This special tag can be implemented as follows: <a href="logout.aspx">注销</a> In the Page_Load event of logout. aspx, write the code to empty Session or Cookie.

For < a > < /a > Such as HTML tag, you can use Js-Ajax or jQuery-Ajax in the corresponding client event of HTML tag, and write the code of emptying Session or Cookie in the general handler (. ashx).

For < a > < /a > Such as HTML tag, you can also do this: add a server control such as Button in the current page, include it with div, and let it hide (note: hiding is invisible, can't pass the server attribute Visible=False, can only be achieved by setting display: none of div;), and write the code of emptying Session or Cookie in the server event Cilck of Button; Then call the Click event of the Button control with Js or jQuery in the corresponding client event of the HTML tag (set Button hiding through the server property Visible=False, and the Click event of the Button control called by Js or jQuery will be invalidated).