There are a few ways that you could go about doing this, each with their own set of trade-offs. The first couple that come to mind for me are: Use the built-in ASP.NET session management and force your logout code to run when the session expires (see the Session_End handler in global.asax. The default session expiration is a 20 minute sliding timer from the last request/response activity. This number can be tuned to your liking, but remember that it will effect a user that leaves their browser idle as well as one that actively browsed away from your site. Another possibility is to use a session-based cookie (reference[^]) to signify that a user has logged into your site and use the unload event of the window object (reference[^]) in client script to force your logout code to run. The downside here is that you would be logging the user out each time they navigated from page-to-page, even within your site and you would have to read the cookie to verify that they're authenticated to your site and run your login code each time. The result is rather messy, as your login and logout code are running for each page of your site. The user would also be able to leave your site and return still authenticated until they closed their browser. My recommendation would be to consider the first technique of using the built-in session. Unless you have extremely sensitive content or logout code that absolutely must run immediately, I find that the session is usually a good trade-off. Hope that helps a bit to get you started. :)
--Jesse
"... the internet's just a big porn library with some useful articles stuck in." - Rob Rodi
