Good morning, I have a detail when I want to close the user session that was created in my system, I click on my logout button and it automatically changes to the login form, what happens is that when in the browser I click on the back button returns me to the main form of the system, and I do not want that to happen for security.
I have this code in the button event and with nothing it works for me.
Session.Contents.RemoveAll();
Session.Remove("userLogin");
Session.RemoveAll();
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
Response.AppendHeader("Cache-Control", "no-store");
Response.Write("<script>document.execComand('ClearAuthenticationCache');</script>");
Response.Redirect("LoginSMTValidation.aspx",false);
HttpContext.Current.ApplicationInstance.CompleteRequest();
The user is seeing a cached page. Either
set no-cache headers on the page to prevent the browser from caching it.
OR
simply disable browser back button after login using the script below
Related
I log in to the site and navigate to one page X where I post data and then I log out. It takes to log out page and after that if I click back button it takes me back to page X but shows message page is expired I try to resend same page or click refresh and resubmit same page.. I have fiddler running and now I see the data is posted ... I was able to see this in proxy tool fiddler.
Now due to security issue when I try to resubmit expired page I don't want to see my form data in fiddler.
How do I do this.
I already tried all the on page load event for above page X. Page x is user control.
Response.Cache.SetNoStore();
Response.Cache.AppendCacheExtension("no-cache");
Response.Expires = 0;
Response.Expires = -1; case"
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetNoServerCaching();
Response.Cache.SetMaxAge(TimeSpan.FromSeconds(0));
You can't prevent this behavior (other than trying to clear the browser history which is not simple). This is a function of the browser / client. It will try to re-post the data, which is normal. Your system should handle it accordingly by ignoring the data if the user isn't authenticated or logged in.
This is my Login page
This is my master.aspx page.(Red Mark showing Login.aspx becouse i used server.transer)
If i refresh the page my page goes back to the login page.
I used " Session.Abandon();, Session.Clear();" in Login.aspx.cs page and
if (!IsPostBack)
{
if (Session["LoginId"] == null)
Response.Redirect("Login.aspx");
else
{
Response.ClearHeaders();
Response.AddHeader("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate");
Response.AddHeader("Pragma", "no-cache");
}
}
in Master.aspx.cs page..Help me to solve this.
So do you ever add a value in the LoginId? or do you always check if it is null which causes to redirect to the login page. You said you clean the session so i assume your session is empty after you log in. Also refresh the page is different from !IsPostBack. PostBack is when you click on a web control, not when you refresh, so that cause the LoginId = null which is never set and it always go to Login.aspx! I would suggest to verify the user on the login page and set the LoginId to some value, also your master code is kinda messy because it will cause the header to clean and repopulate multiple times when you fix the LoginId issue.
I have two pages, a login page and a page1. The user cannot directly navigate to page1 as it contains following code for the pageload event. The user is redirected to the login page.
if (Session["role"] == null)
{
Response.Write("Redirect Not Working");
Response.Redirect("loginpage.aspx");
}
When the user clicks logout on pag1, he/she is redirected to the login page after setting Session["role"]=null. Now on the login page, if the user clicks on the browser back button, he/she is able to navigate to page1. Only in this case Response.Redirect("loginpage.aspx"); in pageload event does not work. Why does it not work? How can I make it work, or how can I prevent the user from accessing page1 in this scenario?
I have been helpless and closed last time by asking it a different way code to detect browser back button click for any(all) browser
Edit In response to answers: The code against the logout button is
protected void btnLogOut_Click(object sender, EventArgs e)
{
Session["role"] = null;
Session.Abandon();
Response.Redirect("login.aspx");
}
The page you're seeing on back may just be a cached version.
The simplest way might be, instead of using response redirect, echo a meta refresh. You need to make sure the session is clear too.
Session.Abandon();
Response.Write("<meta http-equiv='refresh' content='0';URL='loginpage.aspx'>");
Response.End();
If a user hits back they'll hit that page again and be bounced to the URL you want them at. Nothing stopping them from hitting back quickly more than once or choosing Page1 from the history drop down and getting a cached version.
this should definitely work,check your Session["role"],I think its never null
at logout do this
Session.Abandon();
'pageoad is not working' in that case the reason for the page executing doesn't affect the page cycle, the Load event always fires when the page is executed.
So, if the Page_Load doesn't run sometimes, it's because the page is cached and doesn't execute on the server. The page can be cached in the browser, in a router somewhere along the way, or on the server using server side page caching.
If you haven't enabled server side page caching for the page, it's cached in the browser or in the network. You can use cache settings to try to elliminate this:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
This will keep the page from being cached in normal circumstances. (Check also that your browser isn't in offline mode, then it will use anything in the cache regardless of it's cacheability settings.)
Can you try something like this
if (Session["role"] == null)
{
Response.Write("Redirect Not Working");
Response.Redirect("~/loginpage.aspx");
}
MAKE sure to reset the Session["role"] = null at time of logout because this value will persist during web session
It sounds to me like you need to remove the Session["role"] value and set it back to null. When the user logs out I don't think that you are clearing your session values so when they browse back your page load still thinks that they have a valid logged in session.
An easy way to test if this is the case is to put a break point inside the if block past where you check to see Session["role"] == null. If you never hit that breakpoint you know that role is not null and they are still technically "logged in".
I have a button in my aspx page, which in code behind the value of postbackurl gets set. I updated the code to add click event handler and added Response.Redirect code to redirect user to the page once the button is clicked. The only reason i ended up adding click event was because i had to add some extra logic when the button was clicked including redirecting to same url, that was used in postbackurl. The page does get redirected on click however it seems like all the hidden fields from the field gets lost once the form get redirected to the url.
Is there anyway i can submit the form without loosing the hidden data.?
Maybe one way you can solve this problem is to use the server side Transfer() call.
http://msdn.microsoft.com/en-us/library/540y83hx(v=vs.85).aspx
In most cases I've seen what you really want to do is pass the information for the new page using URL parameters. Take all the stuff the new page needs and put it into the url (encrypt if it is security sensitive).
If the only issue you are having is when you want to stay on the same page, this is simple, just have the click event handler return without doing a response.redirect or a transfer.
Post the code if this is not working for you.
i have one asp.net project. In this i used session for logged user. If i open a popup window and waited upto session expire. Then i got one error page that describing about the session expiration and redirect to the login page. but the login page open in the same popup window. My requirement is to open the login page in Main window. What changes that i will make for that?
if (Session["IsSessionValid"] != null)
{
//Some lines of codes
}
else
{
Response.Redirect("SessionError.aspx");
}
As far as i know i think we can use javascript to load the parent window with a new url
Write a function for the popup window.onclose event
In that function, you can refer the parent window from which you have opened a popup,
window.opener.location=url //replace the url of ur wish