Logout issues in a 3rd party product

Results 1 to 2 of 2

Thread: Logout issues in a 3rd party product

  1. #1
    Anuj Seth Guest

    Default Logout issues in a 3rd party product

    Hi,<BR><BR>We are using a 3rd party product which has been developed using ASP. I&#039ll explain the problem,<BR><BR>1. The login page is in HTML (login.htm)<BR><BR>2. Once you click on the SUBMIT button, it takes you to the main page (lets say main.asp)<BR><BR>3. Right at the beginning of main.asp, the app creates a cookie and stores the login name and password by using the Request.Form method to retrieve the form contents and then using Response.Cookies to generate a cookie.<BR><BR>4. The same page has a logout button, which is simply a link back to "login.htm"<BR><BR>This suggests to the user that the session has been terminated. *BUT*, the user can click on the back button in the browser and everything works fine. This is because it reposts the data and get the login/password again and creates the cookie all over again.<BR><BR>How do I ensure that if the user clicks on the back button, the session is terminated?<BR><BR>You must realize, that this application uses cookies extensively for session management. It does not use the concept of ASP Sessions at all!! <BR><BR>Also, I&#039ve tried using the following code at the beginning of main.asp but to no avail,<BR><BR>Response.Buffer = true<BR>response.expires = 0<BR>response.expiresabsolute = Now() - 1<BR>response.addHeader "pragma","no-cache"<BR>response.addHeader "cache-control","private"<BR>Response.CacheControl = "no-cache"<BR><BR>This does not work, because the user can simply click on "YES" in the "Repost form data" dialog and the cookie will be generated again!! <BR><BR>From what I can tell you, the problem lies in the technique it uses to generate a cookie --&#062; It does not use any session variables, but just cookies! <BR><BR>Please do provide me with a simple and efficient answer to solving this problem.<BR><BR>Thanks a ton,<BR><BR>With Regards,<BR>Anuj

  2. #2
    Join Date
    Dec 1969

    Default RE: Logout issues in a 3rd party product

    Anuj,<BR><BR>There&#039s nothing I love better than a good back button question. You&#039ve got to ask yourself why you care. Is it because you&#039re worried about a different user than the first sitting down and getting a free login? If this is the case, if this is some sort of multi-user computer lab-ish situation, I&#039d recommend that the first user simply close the browser after they logout. Is there some other reason you care so much, because a 100% solution to this type of problem may not be possible: you&#039re paddling upstream against the nature of web browsing.<BR><BR>That said, this may fix your problem. I&#039ll assume you&#039re hellbent on keeping the login.htm page a non-ASP page. Put a hidden value in the HTML form that contains the client&#039s system time. You can use JavaScript to set this hidden value when the page is loaded. Then in main.asp, set this submitted hidden form value into a cookie, "LastLoggedInTimestamp". If the user ever tries to login with a hidden form time value that&#039s the same as that "LastLoggedInTimestamp" cookie&#039s value, you know it&#039s a back-button-resubmit login, and you can take appropriate measures.<BR><BR>Michael Balloni<BR>balloni_poni@yahoo.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts