0

I created a page that shows a user a receipt that says they have successfully completed a payment from a third party site. I am trying to prevent the user from going back to the third party's page and making a duplicate payment. I was thinking I could logout the user when they hit the back button so that it would kick them off the site and onto the login page.

I tried using:

protected void Page_Unload(object sender, EventArgs e)
{
    Response.Redirect("Login.aspx");
}

but I get the error: "System.Web.HttpException: Response is not available in this context"

The flow of the site is: login on Login.aspx then fill out an application on the next page. After completion of application the submit button takes the user to a page where they select defer payment or pay with card. If they pay with card they are taken to the third party site and fill out their information. The third party site then sends them back to receipt page that I created.

So the question is: how would I go about logging someone out upon hitting the back button?

Austin
  • 154
  • 4
  • 20
  • 1
    You can't really prevent that back button. You should have a better way to deal with duplicate payment through third parties, i.e. tokens. You could use the Post Redirect Get pattern together with your authentication to redirect them to login. Are you even using `FormsAuth`? – Luke Hutton Jul 08 '13 at 20:38
  • @Luke I am not using 'FormsAuth' – Austin Jul 08 '13 at 20:42
  • So how do users "login". Need some more context of the payment flow / authentication in your application to begin to answer. – Luke Hutton Jul 08 '13 at 20:43
  • @Luke I'm using the code: 'if (Session["NID"] == null) { Response.Redirect("Login.aspx"); }' where the Session["NID"] is created on the login page. – Austin Jul 08 '13 at 20:44
  • @Luke I updated the flow if that doesn't help let me know – Austin Jul 08 '13 at 20:50
  • So you're just using a custom auth using `Session`. I would have the page that the third party requests, perform a redirect to your receipt page. In that way, the back button is just a GET request to the receipt page. In addition, that "landing" page the 3rd party hits should obviously be secure and perform auth checks. There should also be mechanisms to not post dupe payments to 3rd party sites. – Luke Hutton Jul 08 '13 at 21:09
  • The receipt page can perform the logout (abandon session). When back is performed to the GET request to the receipt page, it can redirect to login and/or say payment has already been completed etc. – Luke Hutton Jul 08 '13 at 21:32

1 Answers1

1

We do not normally see a shopping cart logs out a user after completed. If you do so, user will get mad.

In addition, you cannot control the back button. Instead, you can create like this steps -

Cart Page -> Go to third party site -> Confirmation Page -> Complete Page.

If user completed the check out at completed page and click back button, you can still validate the cart at confirmation page.

For example, saving a SessionState from cart page all the way to completed page. Clear the session state if cart is completed successfully. If user browsers Confirmation Page without SessionState, then display Your cart is empty.

Win
  • 61,100
  • 13
  • 102
  • 181
  • Are you saying do something like this in the Page_load of the Confirmation page: `if (Session["ActivePayment"].ToString() == "true") Response.Redirect("CompletedPage.aspx"); else Response.Redirect("Login.aspx");` – Austin Jul 08 '13 at 20:56
  • 1
    Yes, `Session["ActivePayment"]` should not be null in `Confirmation Page` in order to promote to `Completed Page`. If null, redirect to `Cart Page`. ***In addition, you can check whether user is authenticated at all steps.*** – Win Jul 08 '13 at 21:02
  • It checks if they're authenticated at all steps but the problem is that they can hit the back button and then resubmit on the third party site. But your answer should counteract the problem (hopefully) – Austin Jul 08 '13 at 21:05
  • 1
    There have been countless threads regarding back button. Look at this one - http://stackoverflow.com/questions/961188/disable-browsers-back-button – Win Jul 08 '13 at 21:17