Re: logging off (without getting page when click on back )

From: Hernan de Lahitte (hernan_at_lagash.com)
Date: 03/12/04 

Date: Fri, 12 Mar 2004 10:33:08 -0300

If you are using Forms Authentication, just using

System.Web.Security.FormsAuthentication.SignOut()

will do what you are looking for. This will delete the cookie that Forms
Auth use so a new session will be started (login form retrieved) whenever
you hit some page inside your Forms Auth path. This addresses the issue of
the back navigation as well.

If you are relying on session variables only, you might expire the session
with Sesson.Abandon() method. However, session variables alone are not a
very secure mechanism to handle authentication. You can find further
infromation about this topic and others as well here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
(see Chapter 10 for ASP.NET pages.) 

-- 
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
Shadowfax Dev Team
This posting is provided "AS IS" with no warranties, and confers no rights.
"DotNetJunkies User" <User@-NOSPAM-DotNetJunkies.com> wrote in message
news:exjhw0ACEHA.3472@TK2MSFTNGP09.phx.gbl...
> hi everybody
> I posted a question previously on how to design secure pages so that once
we log off, we cannot obtain the previous page if we click on back, ie the
page must expire when we log off. Somebody posted a link to another message
in the forum. Could he plz repost the link, because i am lost with this new
build. thanks.
>
> If anybody else knows how to do it, plz help. i have used the session
object and created a session variable, UserValid, which is set to yes when
we log in and set to no when we log out and on the page i want to secure, i
check whether uservalid=yes .It should work but it works only when i enable
trace. It displays a message that page has expired when i click on back ,
which is exactly what i wanted, but when i disable trace it doesnot work.
Any idea on what is wrong?
>
> ---
> Posted using Wimdows.net NntpNews Component -
>
> Post Made from http://www.DotNetJunkies.com/newsgroups Our newsgroup
engine supports Post Alerts, Ratings, and Searching.

Relevant Pages

  • Re: Authentication? Forms without Anynymous access
    ... No, forms auth is secure, as long as the authentication mechanism you ... Windows auth happens at the IIS ...
    (microsoft.public.dotnet.security)
  • Re: Problem with Session Variable
    ... Check out the authentication part of your web ... You can get a first impression by reading ... User A signs in and the screen shows that the userid is "User A". ... > session variables in the Session_start event is loopy! ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: When exactly are you logged in? (Forms authentication)
    ... Actually, I think you can, eg using the mobile internet stuff ... FormsAuthentication doesn't let you just redirect with the authentication ... and checking for it in the global.asax "Global_AcquireRequestState" handler ... The 'cost' would be two session variables per user - ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: get returning user for forms auth?
    ... optionally make the cookie persistent and then set some ... application-specific session variables for that user. ... user again when he reenters the site; I pondered checking auth cookie ... How do I find out that authenticated user is re- ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to call image from mySql to php file
    ... your image table field should be BLOB field then you create ... more secure, you can control the session variables. ... In my php I am trying to call it in my php file as image. ...
    (php.general)