I'm interested in disallowing the following after logout:
-- no back button
-- no direct access to pages via URL - for example: if the user logs out then they should not be allowed to see a cached page using some URL (e.g., replacing the URL with a valid URL in the site http://mysite.com/Gotothispage.aspx)
I've seen similar questions like this one: How to disable the back button in browser when user logout in asp.net c#
I know that I can set no cache on the master page, but then I lose the ability to use the back button when the user is actually logged in. Am I correct in this understanding?
A page is either cacheable or it isn't, the browser has no idea if you are logged in or not. You can't somehow retrospectively expire objects already cached by the browser.
Then I lose the ability to use the
back button when the user is actually
logged in. Am I correct in this
understanding?
Not entirely - you'll have problems using the back button on pages that are submitted using POST, but not GET.
A simple example would be to imagine an ASP.NET page with a paged Gridview - the user clicks pages 1,2,3,4,5, etc to navigate the grid.
Using POST, every time the user clicks another page in the grid, it will cause a postback to the same page. A page expired error will appear if the user clicks back after doing this.
Using GET, every time the user clicks another page in the grid, it will redirect them to the same page using a querystring (ie, Grid.aspx?Page=2). In this case, the user can click back, and it will take them to the previous page without any problems.
Pages should already be disabled after logging out, if your security is setup correctly.
If you have a master page or basepage class specifically for users that are logged in, you should check if they have a sessionId that you set when they logged in.
If they don't, redirect them to another page.
Users may see a cached version of a page, but can't do anything to it.
In my basepage class for members, i check if they are logged in on the OnInit event:
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
if (!IsLoggedIn)
{
Response.Redirect("default.aspx");
}
}
Edit:
What some sites do is..after you log the person off, they redirect you to a temporary purgatory page that says it is logging you off. This purgatory page will have caching turned off, and has a meta-refresh tag that takes you to your destination page.
So when the user clicks on the back button, it takes them to the purgatory page which then directs them right back to where they were.
Gmail does this, but sometimes it's so fast you can't tell.
Related
There may be a setting I am missing somewhere, but I am completely dumbfounded by this issue. I have a dynamic data web site that is using role based permissions to limit the content a specific user can view, edit and delete. When the user first logs in and is redirected to the default page, it displays all of the correct tables for that users role. After clicking on any of the available tables, then clicking the browser back button, the default page will display every table within the database regardless of what the users role dictates. I am dumbfounded because at no point is there a view of every table available to any users role yet somehow ie9 managed to cache this imaginary version of the page. I know that this must be a cache issue because page_load on the default page is not triggered when the back arrow is clicked. If I refresh the default page it will be displayed correctly again.
I am working with a master page and explicitly turned off every form of caching I could think of in its page load.
HttpContext.Current.Response.Cache.SetAllowResponseInBrowserHistory(false);
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();
Response.Cache.SetExpires(DateTime.Now.AddSeconds(-1));
Response.Cache.SetValidUntilExpires(true);
One other thing to note is that this only seem to be an issue with ie9 when I test the site in ff, chrome or safari things work as expected.
You have to store the role of the user who logs in in a session variable and then show the required data(table or whatever) based on that value.If the data is shown based on the user's role in the session then i don't think you will have any problem. Also you can disable the cache by giving Response.Cache.SetNoStore(); at the page load function.
I have a user registration page, after entering all the details and successful account creation, I want to stay in the same page, but all the user entered details should be cleared
but if the registration is unsuccessful then all the user entered details should be retained.
which is the right way of achieving this?
is clearing all the values manually in code, the only way?
Viewstate is maintained during postbacks. So, you can do a redirect to the same url if the registration is successful. Make sure that your databindings check for IsPostback.
The state for the textboxes is maintained during postback, so you could clear them manually.
However Ingenu's answer suggest to use whats called the PRG-pattern which is an even better fit. In your case it goes like this:
On succesfull creation of an account, you should issue a redirect to the same page. The redirect will call your registration page as a GET request again, and clear all textboxes.
If the create is unsuccessfull, you should NOT redirect. So that the user stays on the same page with the textboxes still filled.
I have a user complaining about frequent timeouts in my Intranet web page. While looking for a solution I found this post:
http://forums.asp.net/t/152925.aspx?PageIndex=1
Where a poster recommends intercepting the redirect to the login page, submit the data to the database, then either reauthorize the user (without their knowledge) or redirect to login page. My goal is to avoid the situation where a user enters data in a form, walks away, then comes back to submit it, only to be told they have to login again (which is fine, if the data remained and the user was sent right back to the original webform).
Does anyone know how I can accomplish this on specific pages in my app (not all of them)?
It's not necessarily trivial, but you can add an ajax component that makes occasional calls to a page to keep the session alive. This way you could lengthen the session for any particular page you need to without affecting the application as a whole.
EDIT
If you really want to let the session expire, but keep the form data, you can implement
protected void Application_PostAuthenticateRequest (object sender, EventArgs e)
event handler in your global.asax.cs file. This is called before the forms authentication redirect happens, and the form data is available to your application at this point, so you can persist it to whatever medium is necessary until your user is authenticated again. In addition, if you check the
((HttpApplication)sender).Request.Path
property it will tell you which page was requested.
Well, the easy way it to drastically lengthen the timeout specified in the web.config file.
I'm going to try using cookies to preserve the data. My plan is to update the user's cookie after each control is changed, then add logic to the page_load property of the page to populate the form data after the user is logged back in.
I am devolping a web application.the problem is that i am using a login control (not a .NET control) which is a part of master page and is acessible from all pages. if user log In from a page the login control updates itself and displlay some statistics of logged In user but the specific page does not reload. (some options on page are visible only to authenticated users, so that after login, page should be reloaded to display such options)
after logIn methoed I wrote
Reponse.Redirect(Request.Url.AbsoluteUri)
after this the browser response the "Page cannot be displayed"
It would be of great help to me.
Many Thanks, Regards. AZHAR
From you description it is not clear what happens, but with high possibility you get infinite loop, when page is redirected to itself again and again.
Most obvious problem that you place redirect code in Page_Load,
as possible resolution:
Place Reponse.Redirect(Request.Url.AbsoluteUri) to OnLogin event of your login control
if you anyway want use Page_Load, at least add following check:
if(IsPostBack)
Reponse.Redirect(Request.Url.AbsoluteUri)
But last case is very bad style because may have lot of side effects.
Make sure your redirect is not causing a loop. Check Page.IsPostBack
Be aware that POST variables are lost during this operation.
Another thing that you should look at is the roles that you allow in the folder (in the web.config file in the folder).
I accidentally misspelt a role name and it kept redirecting my users to the login page.
I have a view that shows a list of items and when you click on one of them it will take you to the items page. I also store a "Viewed" flag in the database for that item.
Now, when the user clicks back, the item should be styled differently because of the change in the "Viewed" flag. However, every time I click back, it is as it was before I clicked into the item, and I have to click refresh to see the actual state of the page now.
How can I prevent this page from being cached so when a user clicks back they will see the latest version of this site, complete with the new styling?
Mark the controller action that generates the list with the OutputCacheAttribute and set the cache location to none to prevent that page from being cached on the client. This should cause the client to request the page again. If the user is using the back button, however, I think that the page is served up by the browser without reloading regardless of the caching. At least in FF I don't see it requesting the page again using Firebug.
[OutputCache( Location = OutputCacheLocation.None )]
Call this in your controller action:
Response.Cache.SetCacheability(HttpCacheability.NoCache)
This will prevent the browser from caching the page.