Hello, I have logout page in asp for session abandon. But after user logout and press back button, the page can still go one page back. How should I modify the code so that the user cannot go backward or if he go backward, there will be warning page to say that the page are expired like those official mailbox.
Thanks very much in advance and wait for your reply!
Although I have no idea how to do this (I know nothing about ASP) what you would probably need to is set a cookie that determines if they are logged in or not, and then check that cookie when the page is loaded. If they are logged in, they can view, else they get an error message.
That would be quite insecure… you could get to the page by simply changing the cookies’ value to 1.
More secure than allowing to go back no matter what 
And it depends on how it is done as well, you don’t just have to use true of false, or if ASP has the ability to delete a cookie you can check if the cookie even exists or not.
*Originally posted by lostinbeta *
**More secure than allowing to go back no matter what
And it depends on how it is done as well, you don’t just have to use true of false, or if ASP has the ability to delete a cookie you can check if the cookie even exists or not. **
LOL 
In PHP you can use session_destroy to destroy a session… I don’t know about the equivalent in ASP tho… you’ll have to wait for abzoid 
Ok there are two methods that I like.
One set how long the page exists in cache. This setting will allow the page to refresh on each access.
<%Response.Expires=-1%>
Now if you have written a cookie to say they are logged in:
<%
Response.Cookies(“login”)=“true”
%>
then you want to write over that cookie in your logout script:
<%
Response.Cookies(“login”)=“false”
%>
Then of course on each page that is a “secure location” you want to put a script that checks that ‘login’ cookie to see if they are logged in…
<% Dim logincheck
logincheck = Request.Cookies(“login”)
if logincheck <> "true"
then Response.Redirect "http://www.blah.com/loginerror.asp"
end if
%>
That is one way of doing a login script.
However it is not the most secure.
There are sessions(very secure) then there are ways of combining database entries and cookies with random number generator scripts that triple check everything.
Hope that helps, if you need anything more. Let me know.
What happens in one of my favorite scripts…(cause its hard and complex lol)
Is this.
When you access my site.
You try and login.
If you are a user you enter your name and password.
The script checks the database for that password and user combo.
If it exists.
A random number generator generates a number and stores it in one field of the database. It then stores the same number in the cookie value on your machine.
Now each page after that, I have a script check the value in the database with the value in your cookie. If they match you may proceed. If they do not then no access.
Now when the person logs-off… a second random number is generated and stored in one of the locations; making it to where the numbers no longer match.
That way the next person that comes along on the computer cannot just “edit” the cookies to access it.
The random number is around 30 characters long.
Again, if the cookie number doesn’t match the database number; then no access.
Keys here are to protect the database. Most server companies have the database in a separate non-public area of the server.
There are other ways to do this. But that above way is just fun and extremely secure.
If I were going to do this, and I have on more than a few web sites, I’d use a simple session variable instead of messing with client side cookies.
When the user logs in set session(“user”) = {username from database lookup}.
When the user logs out set session(“user”) = “”.
On every secure page check to see **if session(“user”) = “” **and if it does then redirect to login page.
Simple yet quite secure.
or, you could always just nest a whole bunch of [edit]frames[/edit], so the browser freezes, causing a restart, therefore clearing the history…
:beam:
Rev
rofl yeah with about three java lake applets in each table set
oops, not tables, I meant frames…set up a frameset with 2 frames. Inside each of those 2 frames, 2 frames open up. Inside each of those 4 frames, 2 frames open up…
etc… until crash…
you can even use a random color script on the html pg to make it real purty before it shuts down…
roflmao, do you have an example? lol
You just have one or both of the frames load the main frameset page as one of it’s content pages. For example:
Save the following code as frameset.html
<html>
<head>
<title>Crasher</title>
</head>
<frameset cols="50%,50%">
<frame src="frameset.html">
<frame src="frameset.html">
</frameset>
</html>
We used to put pages like this as index.html in directories where no one had any business trying to see a directory listing. Mwuahahahaha
I have to confess…
abzoid’s the guy who told me about this… something like 5 years ago…
Rev
that is hilarious lol
too bad i’m too lazy to put that in an html page and see if it works… also too lazy to do the random background
theres also a way to crash ie with only five lines of code:
<html>
<form>
<input type crash>
</form>
</html>
Hello, it is so nice to see all of your answers. I am impressed by all of your help. Currently, what I have coded in my page, is like in every user session page, there is a check for wether session(“ID”) is null. IF it is , then redirect to the login page. Else show the page. For the logout page, I have the session. abandon for it.
But if I press the Back button from the brower’s tool bar, it can always show the former page with the user id shown there, although I cannot do any modification in that page(it will redirect to the login page). But any way, it can go backward.
So in my case, what is the easy way to make sure that user cannot go backward then ?
Thanks for all of your help.!!!
What they are seeing is in their own browser cache. There is a Meta tag you can include in the page headers that is “supposed” to prevent the page from being cached by the client. I’ve have only limited success using it. (remove the space after the < )
< META HTTP-EQUIV=“PRAGMA” CONTENT=“NO-CACHE” >
Other than that, I know of no way to control what is cached by the clients browser.
hi, do u mean by putting this meta in the logout page or in every pages?
You’d have to put that code in every page that you did not want the user to cache.
<%Response.Expires=-1%>
^from my two posts above
:: Copyright KIRUPA 2024 //--