Account session returns after log out

Question

In ASP.NET, I have a small div for the account in every page. In the page load of every page, I check if a session called username is null. if it is, I put login in the div. else I write their name there and put a button to log out. the log out deletes the session and load the login div instead of the current div. it's all good but if I log out and then press the back button, it the div with the accounts name returns. how should I fix it? an example for my issue.

aspx:

<%=accountDiv %>

aspx.cs:

if(Session["username"] != null){
 accountDiv = "<div>" + Session["username"].ToString() + 
"<form method='post' onsubmit='return true'><input type='submit' name='logout'></form></div>"
}
else{
 accountDiv = "<div>" +
"<form method='post' onsubmit='return true'>" +
"<input type='text' name='username'>" +
"<input type='submit' name='login'>" +
"</form></div>";
}
if(Request.Form["login"]!=null){
Session["username"] = Request.Form["username"];
accountDiv = (code that builds the div with the name as before)
}
if(Request.Form["logout"]!=null){
Session.RemoveAll();
accountDiv = (code that builds the div with the login as before)
}

No idea, because there's no code. We can't fix a description. Descriptions are generally ambiguous and rarely accurately describe the reality of the program execution. If they did, there would be no need for programming languages. In cases like this they are doubly problematic, because in all likelihood you've described what is supposed to happen, not what actually happens, otherwise you probably wouldn't have a bug, or you would at least understand more about its cause. — ADyson, Jan 29 '18 at 14:52
I would use one of the many built-in authentication and authorisation methods available in ASP.NET and associated technologies. Rolling your own is always going to be fraught with risk and prone to bugs / unseen vulnerabilities. — ADyson, Jan 29 '18 at 15:29
Maybe an answer here would help https://stackoverflow.com/questions/3716298/sessionid-is-still-the-same-after-session-abandon-call — Nick, Jan 29 '18 at 15:39
ADyson can you explain what do you mean and Nick the answers didnt work for me — אביב לוינסון, Jan 29 '18 at 15:59
I mean most of this kind of thing is done for you already. Don't re-invent the wheel, especially if you end up leaving holes in it. See https://www.asp.net/aspnet/overview/authentication-and-identity — ADyson, Jan 29 '18 at 16:11

score 0 · Answer 1 · answered Jan 29 '18 at 15:28

0

Here is the code, ASP NET has a lot of buildin class and helpers, here is an example using Razor View.

@if (Request.IsAuthenticated)
{

  <strong>@User.Identity.Name</strong>
  <!-- Log Off Link -->

}else{
 <strong>Please log in</strong>
}

answered Jan 29 '18 at 15:28

Mauri

257
2
6

Thank you! can you please explain it? – אביב לוינסון Jan 29 '18 at 15:30
The request object has a Boolean to know if the call come from an authenticated user. And the identity.name will return the username logged in. Is the same features that you developed “manually” with the session variables. – Mauri Jan 29 '18 at 18:19

score 0 · Answer 2 · answered Jan 29 '18 at 16:04

You probably wouldn't use forms like this. You should have a login page that has a form that on submit goes to an action that logs the user in and then redirects to the main page that will show the page that you want with the user's name in the corner, with a logout link.

The logout link should then go to an action that logs the user out and redirects to the Login page. You should have code that checks for a not logged in user (this handles the back functionality) and they will then get redirected accordingly.

public ActionResult Logout()
{
    if (UserState.IsLoggedIn)
    {
        // Log the user out
    }
    return RedirectToAction("Login");
}

[HttpGet]
public ActionResult Login()
{
    if (UserState.IsLoggedIn)
    {
        return RedirectToAction("Index");
    }

    return View(new LoginViewModel(UserState));
}

[HttpPost]
public ActionResult Login(LoginModel model)
{
    if (UserState.IsLoggedIn)
    {
        return RedirectToAction("Index");
    }

    // Do the login and redirect accordingly
    if (loginWasSuccess)
    {
        return RedirectToAction("Action", "Controller");
    }

    // Otherwise, add errors to model state and reload login page with errors.
   ModelState.AddModelError("InvalidLogon", "Some error message");

   return View(new LoginViewModel(UserState));
}

Account session returns after log out

2 Answers2