Example code for clearing Session or Cookie when exiting safely in Asp.net

Overview:

Click to log out of the website. If it is only redirected to the login/exit page, then enter the address of a page after login in the browser address bar, such as the homepage, and you will find that you can access it without logging in. This so-called exit is not safe.

So how to exit safely?

That is to clear the corresponding Session or Cookie after clicking to exit.

Code to clear Session:

Session.Clear();
Session.Abandon();

Correct code to clear Cookie (assuming the cookie name is UserInfo):

if (Request.Cookies["UserInfo"] != null)
{
Response.Cookies["UserInfo"].Expires = DateTime.Now.AddDays(-1);
}

If you need to clear all Cookies, traverse:

for (int i = 0; i <Response.Cookies.Count; i++)
{
Response.Cookies[i].Expires = DateTime.Now.AddDays(-1);
}

Error code for clearing cookies (assuming the cookie name is UserInfo):

if (Request.Cookies["UserInfo"] != null)
{
Response.Cookies.Remove("UserInfo");
}

You will find that after this processing, the cookie still exists, why can't it be deleted? Let’s take a look at .NET’s HttpCookieCollection implementation source code:

public void Remove(string name)
{
if (this._response != null)
{
this._response.BeforeCookieCollectionChange();
}
this.RemoveCookie(name);
if (this._response != null)
{
this._response.OnCookieCollectionChange();
}
}

This operation deletes cookies in the HttpCookieCollection collection. When the server transmits data to the client, it will not include the cookies that have been deleted on the server. The browser will not make any changes to any information in the cookie (the remove method just prevents the server from sending the deleted cookie to the client, and has nothing to do with whether the cookie remains in the client). Therefore, there is a situation where the cookie cannot be deleted.

Since Response.Cookies.Remove cannot achieve the effect we need, why does Microsoft still keep it? Because CookieCollection implements the ICollection interface, romove is a method that must be implemented, although it has little practical value. The collection romove should also be implemented in this way, but when Microsoft wrote MSDN, the description was too unclear, which caused us a lot of trouble.

The following is a summary of several ways to achieve safe exit:

1). Use server controls such as Linkbutton and Button to implement exit

This method is the best: directly write to clear the Session or Cookie in the event corresponding to the server control The code is enough.

2). Use HTML tags such as 3499910bf9dac5ae3c52d5ede7383485Logout5db79b134e9f6b82c0b36e0489ee08ed to log out

For the special tag 3499910bf9dac5ae3c52d5ede73834855db79b134e9f6b82c0b36e0489ee08ed, it can be implemented like this: 0385bec554e58b869620f10dd645ee53Logout5db79b134e9f6b82c0b36e0489ee08ed , just write the code to clear the Session or Cookie in the Page_Load event of logout.aspx.

For HTML tags such as 3499910bf9dac5ae3c52d5ede73834855db79b134e9f6b82c0b36e0489ee08ed, you can use Js-Ajax or jQuery-Ajax in the corresponding client event of the HTML tag to clear the Session or Cookie in the general handler (.ashx) Just code.

For HTML tags such as 3499910bf9dac5ae3c52d5ede73834855db79b134e9f6b82c0b36e0489ee08ed, you can also do this: add a server control such as Button to the current page, include it in a div, and hide it (note: hiding is not visible and cannot be done through the server attribute Visible =False, can only be achieved by setting the display:none; of the div), write the code to clear the Session or Cookie in the Button's server event Cilck; then use Js or jQuery to call the Click of the Button control in the corresponding client event of the HTML mark The event is sufficient (setting the Button to be hidden through the server property Visible=False, the Click event of the Button control called by JS or jQuery will be invalid).