0

I am trying to implement Login/Logout functionality in my website without using inbuilt functionality of Login controls in ASP.NET. In some pages, which require the user to be logged in, I have written this in Page_Load

if (Session["cod"] == null && Session["admin"] == null)
        {
            Response.Redirect("You need to Login.aspx");
        }
        if (Session["cod"] != null || Session["admin"] != null)
        {
            LinkButton1.Text = "Logout";
        }

        if (Page.IsPostBack == false)
        {
            log_bind();
            grid1_bind();
            grid2_bind();
        }

But while I was testing this, I noticed that when I press the Back/Forward button on the browser, these pages are viewable without being logged in. How do I prevent this?

Cipher
  • 5,894
  • 22
  • 76
  • 112

5 Answers5

1

This has nothing to do with the login controls, but as others state, the caching of the page.

The trick is to tell the browser that it can't cache the page. Look at this post, and its solution: Disable browser cache for entire ASP.NET website

Community
  • 1
  • 1
Jesper Blad Jensen
  • 2,751
  • 17
  • 16
  • I think I need that cache disabling code is for the whole webiste. I only want it for some pages where I think I should put it into page_load – Cipher Jan 21 '11 at 13:25
  • I need to put delete this cache only once the user sign out. How can that be done? – Cipher Jan 21 '11 at 13:44
0

I think that even if you do not use ASP.NET login controls you should still use the Principal/Identity classes and verify if a user is Authenticated or not. That is surely the safest way.

Davide Piras
  • 43,984
  • 10
  • 98
  • 147
0

I don't know of any reliable way to do this. Once a page has been viewed, it's on the user's computer. If they hit the back button, they are looking at a cached version anyway so I can't imagine why this would be an issue.

As long as they can't refresh the page to get the latest content, what does it matter if they're able to look at a page they already accessed?

Jonathan Wood
  • 65,341
  • 71
  • 269
  • 466
  • I thought I have seen it in some sites but those are biggies and they display the message "This page has expired" etc. although, I am not into making anything of that banking sort of of web app – Cipher Jan 21 '11 at 13:01
0

Have you tried wrapping the whole function in

if (!IsPostBack) {

}

Andrew Cassidy
  • 255
  • 2
  • 19
0

The browser may simply be showing you a cached version of the page, try to attach a debugger to the page load event and check to see if:

  1. It is actually hitting the server when you hit back and forward
  2. The values in the session state, whether they are consistent with a logged out user.
  3. If the values in the session are consistent with a logged in user then you have to check your session clearing logic.

It is however best to use the asp.net controls or the system.web.security.FormsAuthentication class to perform functions like logging in and logging out based on custom logic.

smoothe
  • 568
  • 1
  • 4
  • 11