I log in to the site and navigate to one page X where I post data and then I log out. It takes to log out page and after that if I click back button it takes me back to page X but shows message page is expired I try to resend same page or click refresh and resubmit same page.. I have fiddler running and now I see the data is posted ... I was able to see this in proxy tool fiddler.
Now due to security issue when I try to resubmit expired page I don't want to see my form data in fiddler.
How do I do this.
I already tried all the on page load event for above page X. Page x is user control.
Response.Cache.SetNoStore();
Response.Cache.AppendCacheExtension("no-cache");
Response.Expires = 0;
Response.Expires = -1; case"
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetNoServerCaching();
Response.Cache.SetMaxAge(TimeSpan.FromSeconds(0));
You can't prevent this behavior (other than trying to clear the browser history which is not simple). This is a function of the browser / client. It will try to re-post the data, which is normal. Your system should handle it accordingly by ignoring the data if the user isn't authenticated or logged in.
Related
Good morning, I have a detail when I want to close the user session that was created in my system, I click on my logout button and it automatically changes to the login form, what happens is that when in the browser I click on the back button returns me to the main form of the system, and I do not want that to happen for security.
I have this code in the button event and with nothing it works for me.
Session.Contents.RemoveAll();
Session.Remove("userLogin");
Session.RemoveAll();
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
Response.AppendHeader("Cache-Control", "no-store");
Response.Write("<script>document.execComand('ClearAuthenticationCache');</script>");
Response.Redirect("LoginSMTValidation.aspx",false);
HttpContext.Current.ApplicationInstance.CompleteRequest();
The user is seeing a cached page. Either
set no-cache headers on the page to prevent the browser from caching it.
OR
simply disable browser back button after login using the script below
I have two pages, a login page and a page1. The user cannot directly navigate to page1 as it contains following code for the pageload event. The user is redirected to the login page.
if (Session["role"] == null)
{
Response.Write("Redirect Not Working");
Response.Redirect("loginpage.aspx");
}
When the user clicks logout on pag1, he/she is redirected to the login page after setting Session["role"]=null. Now on the login page, if the user clicks on the browser back button, he/she is able to navigate to page1. Only in this case Response.Redirect("loginpage.aspx"); in pageload event does not work. Why does it not work? How can I make it work, or how can I prevent the user from accessing page1 in this scenario?
I have been helpless and closed last time by asking it a different way code to detect browser back button click for any(all) browser
Edit In response to answers: The code against the logout button is
protected void btnLogOut_Click(object sender, EventArgs e)
{
Session["role"] = null;
Session.Abandon();
Response.Redirect("login.aspx");
}
The page you're seeing on back may just be a cached version.
The simplest way might be, instead of using response redirect, echo a meta refresh. You need to make sure the session is clear too.
Session.Abandon();
Response.Write("<meta http-equiv='refresh' content='0';URL='loginpage.aspx'>");
Response.End();
If a user hits back they'll hit that page again and be bounced to the URL you want them at. Nothing stopping them from hitting back quickly more than once or choosing Page1 from the history drop down and getting a cached version.
this should definitely work,check your Session["role"],I think its never null
at logout do this
Session.Abandon();
'pageoad is not working' in that case the reason for the page executing doesn't affect the page cycle, the Load event always fires when the page is executed.
So, if the Page_Load doesn't run sometimes, it's because the page is cached and doesn't execute on the server. The page can be cached in the browser, in a router somewhere along the way, or on the server using server side page caching.
If you haven't enabled server side page caching for the page, it's cached in the browser or in the network. You can use cache settings to try to elliminate this:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
This will keep the page from being cached in normal circumstances. (Check also that your browser isn't in offline mode, then it will use anything in the cache regardless of it's cacheability settings.)
Can you try something like this
if (Session["role"] == null)
{
Response.Write("Redirect Not Working");
Response.Redirect("~/loginpage.aspx");
}
MAKE sure to reset the Session["role"] = null at time of logout because this value will persist during web session
It sounds to me like you need to remove the Session["role"] value and set it back to null. When the user logs out I don't think that you are clearing your session values so when they browse back your page load still thinks that they have a valid logged in session.
An easy way to test if this is the case is to put a break point inside the if block past where you check to see Session["role"] == null. If you never hit that breakpoint you know that role is not null and they are still technically "logged in".
When the user clicks on the paybill (secure page) option, he/she is prompted to log-in & then be redirected to the account page. I am using Page.ResolveUrl in the Login_Authenticate method. Once logged in, if the user navigates to any different page on the website & then clicks on paybill again, I check the Identity.IsAuthenticated status in the page load and depending on this I again redirect the user to the account page. I want to know if this is the right way or if there are any best practices for doing this as this involves a lot of server calls. Can I do this functionality using the LoggedInTemplate in the asp:LoginView or Javascript? I have the code for your ref...
protected void Page_Load(object sender, EventArgs e)
{
//to directly link user to account if it's authenticated
var userauth = System.Web.HttpContext.Current.User.Identity.IsAuthenticated;
if (userauth)
{
string urlredirect = Page.ResolveUrl("~/" + SiteConfig.PageMappings["ACCOUNT"]);
Response.Redirect(urlredirect);
Server.TransferRequest(urlredirect);
}
}
You don't need to do both the Redirect and the TransferRequest. Response.Redirect sends a 302 to the browser to tell it to access a new page. Server.TransferRequest causes the request to be handled in a different Page within the existing request. If you're doing authentication, you likely want to scrap the current session and start over, which means just using Response.Redirect. I use Response.Redirect in circumstances like this. I also think it's useful for the user to see they've been redirected to another page for login (as well as being useful for page caching and back/forth navigation in the browser. w.r.t to authentication and login).
I have an Inbox Message page that contains a list of messages sent to a person by another user. Clicking on this message will open up a thread of messages between these two people with the ability to reply to a message sent by the original sender (this page is MessageContent.aspx). This goes to another page (called MessageReply.aspx) that allows the person replying to create a new message in a textarea control with a button to "Send Message" which adds that reply to the end of the list of messages in the previous thread and does a Response.Redirect to go back to that page.
Overall I have everything working how I want to, but the only issue now is that the URL never changes when going from the MessageReply page back to the MessageDetail (one containing all the thread messages) page.
For example, the MessageDetail URL is "http://mysite/MessageContent.aspx?ThreadId=24".
Replying to a message goes to this URL: "http://mysite/MessageReply.aspx?message=26".
When the message gets sent to the Detail page and redirects to it, the URL still shows "http://mysite/MessageReply.aspx?message=26"
Here is the code I have in the MessageDetail to open the Reply page (using a HyperLink control):
string url = SPContext.Current.Site.ServerRelativeUrl + "/MessageReply.aspx";
HyperLink ReplyHyperLink = (HyperLink)e.Item.FindControl("MessageReply");
ReplyHyperLink.Attributes.Add("rel", "external");
ReplyHyperLink.NavigateUrl = QueryStringUtils.AppendParameter(url, MessageQueryString, item.Id);
Here is the code I have for the MessageReply SendMesage button:
// Send the message
var contentEditor = (HtmlTextArea)this.FindControl("ContentEditor");
client.SendMessageReply(_messageId.Value, SubjectTextBox.Text, contentEditor.InnerText);
Message message = client.Read(_messageId.Value);
// Redirect back to the MessageContent page
string url = SPContext.Current.Site.ServerRelativeUrl + "/MessageContent.aspx";
string pageUrl = QueryStringUtils.AppendParameter(url, ThreadIdQueryString, message.ThreadId);
Response.Redirect(pageUrl);
Anyone have any idea how to get the URL to change when it sends the message reply? Everything else is working fine. I greatly appreciate it :)
The most simple route for this would be turn off ajax on the form itself that is being submitted. All the assets required to build the next page should already be in cache so when your next page is bounced with the redirect, provided you've crafted each page to stand alone, the load times will not be any higher.
To turn off Ajax on a form that's giving you trouble...
<form ... ... data-ajax="false">
Then, just be sure that the next page is constructed as a standard JQM page that could be called directly with a GET request and everything should be fine.
C# 3.0
ASP.Net 2.0
IIS6
I have a regular [non-https] page. There is the standard one ASP.Net form on the page.
There are two "areas" of functionality on the page though. Login and "Get Quote". The login page needs to POST to HTTPS while the rest of the page [including the "other area"] form can't be HTTPS. In Java [JSP] and regular Html, we would just have two forms. One that posts to HTTPS and one that doesn't.
What is the way to handle this in ASP.Net [from one page]. I know that I could link to an HTTPS login.aspx page, but the business really would like the context together.
Any ideas?
Thanks,
The solution is to use asp.net to specify a "cross page postback", that is, you user the PostBackUrl property of any button control (LinkButton, Button, ImageButton etc.). This property allows you to post back to any page you like. Just set your PostBackUrl to the https version of your page and you're good to go (also make sure there are no url redirects active which force http on your page).
// ensure we send credentials over a secure connection
if (!HttpContext.Current.Request.IsSecureConnection)
{
string postbackUrl = HttpContext.Current.Request.Url.AbsoluteUri.Replace("http", "https");
LinkButton_Login.PostBackUrl = postbackUrl;
}
In your specific case you should set one of your buttons to post back to the https version, and the other to the http version (if you don't specify the PostBackUrl the default is to post back to the page itself as is).
You can have two forms on an aspx page. You just can't nest them.
On a page I built, I have one form that posts back to the page, and one that posts back to Google Checkout.
If you have to mix the contents of the page, put the https form at the bottom of the page (after the main form tag) and fill it with hidden fields. When the user clicks a button, use Javascript to assign values to the hidden fields and then post the https form.
You could do a manual post through code using the HttpWebRequest object for the login event and then write the returned response back to the user's stream.
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(webRequest.URL);
request.UserAgent = UserAgent;
request.ContentType = ContentType;
request.Method = "POST";
// Write your bytes of the login section here
Stream oStream = request.GetRequestStream();
oStream.Write(webRequest.BytesToWrite, 0, webRequest.BytesToWrite.Length);
oStream.Close();
// Send the request and get a response
HttpWebResponse resp = (HttpWebResponse)request.GetResponse();
// Read the response
StreamReader sr = new StreamReader(resp.GetResponseStream());
// return the response to the screen
string returnedValue = sr.ReadToEnd();
sr.Close();
resp.Close();
Response.Write(returnedValue);
I'm assuming from your context, that you are doing one thing or the other, not both at the same time.
Look at the PostbackURL of the button objects.
the login button can postback to "https://secure.login.com"
The other button can just postback to the page itself.
The problem here is that you'll still be posting back the login fields to the insecure page, which means they're not encrypted, and could be sniffed.
The quick and dirty workaround would be to have javascript clear the login fields before posting if the "Get Quote" button is pressed.
Are the HTTP and HTTPS pages on the same server / part of the same application?
If so you maybe able to use the Server.Transfer() method to keep the form intact but also have the HTTPS.
In ASP.Net 3.5 (maybe SP1--forget if it was in the base library or the SP) you can now set the "action" attribute. But that would make it post to HTTPS for both 'forms'.
If you want to have both forms on the same page, and determine which to post to at 'runtime', you'll have to do it with client-side code. Have client handlers on all objects that trigger post backs or hook into the _dopostback (or whatever it's called--to lazy to look it up) function, and have it check which button was pressed. If the non-secure page, then clear out any data in the login fields first. Then manually trigger the postback yourself to the correct page.
Couldn't you just do a Response.Redirect("https://.../Login.aspx"); in the Login button click event.