当用户在 ASP.NET MVC 中关闭浏览器或选项卡时，如何注销用户?

您可以采取一些措施来确保在浏览器关闭时用户已注销，但这取决于您如何设置 FormsAuthentication饼干:

There are a few things you can do to make sure the user is signed out when the browser is closed, but it depends on how you're setting the FormsAuthentication cookie:

1. 使用Cookieless=True.
2. 将 FormsAuthenticationTicket 设置为非持久性
3. 使用 FormsAuthentication.SetAuthCookie 将 Persistence 设置为 false
4. 使用 JavaScript 方法删除 window.unload 上的 cookie.

1. Use Cookieless=True.
2. Set a FormsAuthenticationTicket to not be persistent
3. Use FormsAuthentication.SetAuthCookie to set Persistence to false
4. Use a JavaScript approach to remove the cookie on window.unload.

Cookieless=True 方法:

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="/Account/Login"
           protection="All"
           cookieless="true" //set to true   
  </authentication>
</system.web>

这会将 cookie 值附加到每个请求中的查询字符串.这种方法的问题是它不是很安全，而且会干扰 SEO.如果用户将他们正在使用的 URL 发送给任何人，则该人可以以原始用户身份登录(可能不是您想要的).至于搞乱 SEO"，它会根据传入的 URL 使同一页面看起来与 googlebot 不同.每次 QueryString 更改都会使其成为一个新 URL，如果有人使用它来发布链接；它会稀释给定实际 URL 的搜索结果.

This appends the cookie value to the querystring in each request. The problem with this approach is it's not very secure and it messes with SEO. If a user sends anyone the URL they're using, that person can log in as the original user (probably not what you want). As far as 'messing with SEO', it causes the same page to look different to a googlebot based on what URL is passed in. Each QueryString change makes it a new URL, and if anyone uses this for posting a link; it will dilute the search results for a given actual URL.

当您为用户设置身份验证 cookie 时，请将 Persistent 设置为 False.

When you set an Authentication cookie for the user, set Persistent to False.

如果您在 FormsAuthentication.SetAuthCookie 中执行此操作，则这是默认设置.如果您使用 FormsAuthenticationTicket 类，则必须指定 cookie 过期时间.

If you're doing this in the FormsAuthentication.SetAuthCookie, this is default. If you use the FormsAuthenticationTicket class, you have to specify the cookie expiration.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,                   //version
    "blah",              //Cookie Name 

);

FormsAuthentication.SetAuthCookie() 方法

默认情况下，如果不设置persistent，身份验证cookie将在会话结束时(当用户关闭浏览器时)过期.

FormsAuthentication.SetAuthCookie() Approach

By default, if you don't set persistent, the authentication cookie will expire at the end of the session (when the user closes the browser).

FormsAuthentication.SetAuthCookie("CookieValue", false); //second argument is persistent'

JavaScript 方法:

没有万无一失的方法；您所能做的就是将 cookie 到期日期设置为现在之前，并希望用户的浏览器配合.如果您真的、真的、真的希望 cookie 消失，您可以随时尝试使用 JavaScript 方法，但如果用户禁用了 JavaScript，那将不起作用.

JavaScript approach:

There are no foolproof methods; all you can do is set the cookie expiration date to before now and hope the user's browser co-operates. If you really, really, really, want the cookie gone, you can always try a JavaScript approach, but that won't work if the user has JavaScript disabled.

window.addEventListener('unload', function(event) {
   document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
});

其他注意事项

您使用的浏览器也很重要.Chrome 能够在后台运行，并且 保持会话 Cookies 直到它们超时 -- 浏览器关闭时它们不会被删除(我发现这很困难).