NoAccessAllowed.aspx

[Guest]

Hi all,

Q1: When running my aspx application in IE, I noticed that the user is still
able to assess the system after the session cookies has expired by clicking
on the BACK AND FORWARD buttons on the browser. I guess this is because the
page is cached by the brower. Is there anyway of preventing this from
happening ? Is it possible to redirect the page to NoAccessAllowed.aspx if
the user clicks the BACK browser button after the session has expired ?

Q2: I was thinking of AUTOMATICALLY redirecting my page ( after the session
has expired) to another page ie. NoAccessAllowed.aspx. Is there a way I can
do this AUTOMATICALLY ?

TIA,
Andrew.

 

[Hawksey]

Andrew,

We had the same problem...
On each of our pages we do a check to see if the session cookie is
still live and if not we send the user back to the login page.
But if the user clicked the back button they could continue to use the
cached cookie.

The only way I was able to resolve this was when the page loads for the
first time I do something like this

Response.Expires = 60
Response.ExpiresAbsolute = DateAdd(DateInterval.Day, -1, Now())
Response.AddHeader("pragma", "no-cache")
Response.AddHeader("cache-control", "private")
Response.CacheControl = "no-cache"
in the page load event....

This way onc the session cookie expires and the back button is clicked
the user is sent back to the login page.

HTH

 

[Guest]

Thanks for your reply.
I am not very sure exactly what your code does, but I gather that it
specifies that the page in the cache expires after 60 seconds. Am I right ?
So when the user clicks on the BACK button, there is no longer a page in the
cache, and it will reload from the server, and if the user has NOT been
authenticated, will redirect to userlogin.aspx.

TIA.
Andrew.

 

[Cowboy \(Gregory A. Beamer\)]

(INLINE)

Hi all,

Q1: When running my aspx application in IE, I noticed that the user is
still
able to assess the system after the session cookies has expired by
clicking
on the BACK AND FORWARD buttons on the browser. I guess this is because
the
page is cached by the brower.

This is correct.

Is there anyway of preventing this from
happening ?

Set a low cache time in your page to ensure it does not cache for long on
their machine. You can use zero if they should not get back to the page
after submit.

Is it possible to redirect the page to NoAccessAllowed.aspx if
the user clicks the BACK browser button after the session has expired ?

How do you know to redirect them? It is their machine, their browser cache
and a cached version of your page. Your server has no clue, at that time,
they exist. You can create a JavaScript mechanism, but it is probably more
trouble than it is worth (unless you can google search and find someone who
has already done the work and left it available for everyone to use).

Q2: I was thinking of AUTOMATICALLY redirecting my page ( after the
session
has expired) to another page ie. NoAccessAllowed.aspx. Is there a way I
can
do this AUTOMATICALLY ?

Yes and no. You can add a meta-refresh tag to your page with the timeout
value for the application. When the page redirects, you ensure
NoAccessAllowed.aspx also kills a session if one still exists (logs them
out); this is a safety measure. You will still need to have short cache
times as back button is still available.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

***********************************************
Think Outside the Box!
***********************************************

 

[Richard Dudley]

Here is some more information on teh HTTP headers option:
http://aspalliance.com/694