1

I am working on an application in ASP.NET with c# and MSSQL DB. I am using a simple logic that if the session variables contain appropriate values then a page should open otherwise it should redirect to the login page. This is the code thats working.

protected void Page_Load(object sender, EventArgs e)
        {
            if(Session["loggedinloginid"]==null || Session["loggedinpassword"]==null)
                Response.Redirect("login.aspx");

            con.ConnectionString = ConfigurationManager.ConnectionStrings["familyConnectionString"].ConnectionString;
            con.Open();
            adp = new SqlDataAdapter("select * from admins where loginid=N'" + Session["loggedinloginid"].ToString() + "' AND password=N'" + Session["loggedinpassword"].ToString() + "'", con);
            dt = new DataTable();
            adp.Fill(dt);

            if (dt.Rows.Count == 0)
                Response.Redirect("login.aspx");

            LinkButton lb=(LinkButton)(Master.FindControl("LinkButton1"));
            lb.Text = "Welcome " + Session["loggedinloginid"].ToString()+"| Log Out |";
            lb.Click += new EventHandler(lb_Click);
        }

        void lb_Click(object sender, EventArgs e)
        {
            Session.Clear();
            Response.RedirectPermanent("WebForm2.aspx");
            //throw new NotImplementedException();
        }

The problem is that when I log out and clear the session and type the URL of the page in the browser that I want to protect (the page with this code), it opens! Why and how can I avoid this?

leppie
  • 115,091
  • 17
  • 196
  • 297
Samarth Agarwal
  • 2,044
  • 8
  • 39
  • 79

4 Answers4

1
  Session.Abandon();

Removes all the objects stored in a Session. If you do not call the Abandon method explicitly, the server removes these objects and destroys the session when the session times out.

View this link for difference between clear,abandon

What is the difference between Session.Abandon() and Session.Clear()

Community
  • 1
  • 1
sp_m
  • 2,647
  • 8
  • 38
  • 62
0

you can use Session.Remove() method;

Session.Remove("session name");

Prashant16
  • 1,514
  • 3
  • 18
  • 39
0

you remove session after that page redirection completed to "WebForm2.aspx". you write the session remove function in that "Webform3.aspx" page. and after redirect to login page. and you check the webconfig file also.

Rajamohan Anguchamy
  • 1,726
  • 1
  • 17
  • 35
0

Your problem is in this line:

   lb.Click += new EventHandler(lb_Click);

The code for the Click-EventHandler is never called, because you subscribe to the EventHandler in the OnLoad-Event, but that is too late in the lifecycle. Move the line into the OnInit-Event and your code should work as expected.

You should also think about sanatizing your SQL Queries to prevent SQL injections (I don't know how your login looks like, but based on the code you posted above, it might be vulnerable to SQL injections).

If .net 3.5 or higher is an option for you, I would suggest you have look at simple ORM-Mappers like Linq2SQl or EntityFramework (have a look at Linq2SQL first), which allow you to use LINQ for your queries and (afaik) sanatize your input.

citronas
  • 19,035
  • 27
  • 96
  • 164