I'm using Forms authentication. I have a small problem after the user logs out. If he hits the back button after he logs out, he's sent to the page he was on when he was logged in.
What is the best way to prevent that? I've looked around but it doesn't seem that there's one definitive approach. Ideally, I'm thinking I'd like to have a function on the master page or even in an httpmodule that checks to see if the user is logged in and if not, redirect him to the login. Is that the best way to do it?
Thanks.
As long as you do Session.Abandon() and FormsAuthentication.SignOut() on your Logout page it doesn't matter whether the user can go back to the previous page he was in, the moment he clicks on anything will be redirected to the Login page.
Example:
Page_Load login/logout page:
if (!IsPostBack)
{
FormsAuthentication.SignOut();
Session.Abandon();
}
You may turn of the cache ability of restricted pages by adding following statement in page_load event.
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Since the Back button in the browser is not controllable by ASP.NET (at least not in a way to disable it), I suggest that you do it like you suggested:
On every page, check to see whether the user is logged in, if not, redirect him to the login page, optionally with a goto parameter to redirect him back to the page he wants to navigate to after successfully being logged in.
I do it this way, too for most of our applications.
HttpContext.User has the IsAuthenticated property for you to check in every page. If you really want to use your custom session variable make sure you remove it or do Session.Abandon at logout and check for it in All pages anyway.
Related
When I use:
FormsAuthentication.SignOut()
FormsAuthentication.RedirectToLoginPage()
The URL will show a ReturnUrl string, is this normal? Is there a way to prevent this?
I could just use a response.redirect, but was wondering why it shows the Return URL also.
Thanks
This is used when a user requests a secure url, they are then redirected back to this page after authenticating.
Take a look at this resource, very useful. Forms Authentication
As for removing this part of the URL, I don't think this is possible (but I haven't looked into it since it's a useful feature). You often get links to things such as news articles. You don't mind re-authenticating, but if you were to then just go to a random home page, that would be annoying, the desired action would be to have the site automatically redirect to the page you initially requested.
Edit: Another reason besides a direct link that you need to authenticate for, could be a scenario where you're reading a multi-page article, you click next page and the session has expired. You're taken back to the login page, authenticate and then return to the page you were reading. It would be undesirable to return to the homepage for you to search for that article again.
The FormsAuthentication.RedirectToLoginPage() documentation states that this method is for when you want to redirect the user to the login page, for example if a user logs out and wants to log back in as somebody else.
The returnurl is so that they are returned to the page they started on after a successful login.
It sounds like if you want them to go to the home page or some other url then you shouldn't use FormsAuthentication.RedirectToLoginPage() here. A response.redirect would be a fine alternative in my view.
To answer your question, it doesn't seem that there is a way to disable the ReturnUrl and still use FormsAuthentication.RedirectToLoginPage().
I'm working on my project to build a site in asp.net. I have a problem when use Session for login page.
My login page will check a session to know if user logged in before or not. If they didn't the login form will appear allow them to log in. Otherwise, the logout button will appear.
Everything works fine and after login, the page will redirect to default.aspx and sessions were saved, I know that because the name of the user appears in default page. But at default page if I press back button on my browser to go back to login page, the login form appears where there should be logout button. Then if I press f5 or open login page in other tab, it works ok with logout button.
Can someone help me with this!
Thank you and sorry for my bad English! :)
When navigating backwards, by default, the page state will be as it was before you logged in. Therefore, without a refresh to get that page to check the session state, there is probably not much you can do.
Put a break point on where you are checking for whether the user is logged in or not (where you determine whether to show 'logout' button or not), and then navigate back after you login. I'm pretty sure the page is loaded from cache, so the page will look exactly like it was before the user logged in. You will probably need a javascript solution for this.
Someone has posted the same issue here with a few solutions that they've tried http://forums.asp.net/t/1118630.aspx
The user is sees the page as it is in the browsers cache. That is why you see the login botton instead of the logout. You can disable caching for the page, however then you will have more server load. I has noting to do with losing the session.
To make the awnser more complete as in the comment:
protected void Page_Init(object sender, EventArgs e)
{
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.Now.AddSeconds(-1));
Response.Cache.SetNoStore();
}
Will prevent the page from being cached on the browser.
i am writing a login page in asp.net c# not using login control.
i can create account and log in without problems as a user.
the pages that require login has a separate master page.
and i want to check if the user is logged in in masterpage page_preinit function
but the problem is that child page event functions are called before masterpage's so i could experience a problem like session expire in child page before i get to check it in master page. is there anyway around this?
ok found the event im looking for. second one on the list
http://msdn.microsoft.com/en-us/library/dct97kc3.aspx
Are you using FormsAuthentication? You shouldn't need to worry about this. Authentication happens in the IIS pipeline before the Request is handed off to your Page object, and if the user's authentication fails, it will never get there, being redirected to the login page instead.
None of your PreInit code should be called by an unauthenticated user if the page is protected by FormsAuthentication.
This is one of many reasons why rolling-your-own authentication is a risky approach. There are lots of corner cases.
Since you're storing the user ID in the Session object, then once the session expires, you can't access it any more; it doesn't matter if it's from the child page or the Master page.
Instead of using Session, it would be better to use cookies. You could have a long life on the cookie itself, with the login expiration time encoded in the value of the cookie or kept in the database, keyed by the value of the cookie. That way, the session could expire, but you would still be able to refresh it or take some other action, rather than just reporting an error.
I am maintaining a session for user login.
Consider a scenario that, User working on page20 with his account credential.
He is idle for the session variable time out. Then he start working on page20 and click link of page21.Here session is expired so he'll redirect to Login page.
After successful logged in, User should redirect to the page21.
So how do I achieve it?
The first method that comes to mind is to send the information through a get/post-variable. When you perform the session-check at page21 (I assume) and redirect the user to the login page, you can append the pagename to the address, i.e. redirect to something like www.xyz.com/login.htm?page21 (or if you don't want the pagename to be visible, use post instead). Then simply use that information when the user logs in again to redirect him/her to page21.
Hope that helps.
if you are using forms authentication, there is an inbuilt mechanism to do that, here it is. It will automatically redirect the user to the URL Referrer page
If (FrameworkManager.Authenticate(username, pwd)) Then
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(username, rememberme)
end if
Really it depends on how you're using your session. If you're keeping all of the information the user enters on screens 1-20 in session, you're going to lose it all once their session expires, so you're out of luck anyway.
If you're storing everything from each page in a database, or some other mechanism, then it should be easy to tell what the last piece of information the user entered. Alternatively, you could also store the url or name of the last page the user submitted in the database.
When they log in, determine which page they should be on, then just redirect them.
If you are doing a Server.Transfer to the login page than Request.Urlreferrer would be URL of the Page21.
Where would you put this code?
If (FrameworkManager.Authenticate(username, pwd)) Then
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(username, rememberme)
end if
If user wants to login again through another browser then in this situation you must add status column in your database and check if the status is true
then you have to redirect this user on last visited page.So save the visited page through cookies and get back page name and redirect on the page.
When i hit back in the browser the user is still logged in. can someone help please?
I'm assuming mean:
"After the user logs out, if they then press back in the browser the page says they are still logged in. How do I stop this?"
If so, what the user is seeing is the browsers cached version of the page - they are not actually still logged in, and if they were to browse elsewhere, then they would see that they are now logged out.
I often get around this by having the LoginStatus control have a LogoutAction of Redirect, and the LogoutPageUrl set to something like the homepage.
That is the correct behaviour for most web applications. Being logged in is a question of state, and does not rely on the page you are viewing.
If you want the back button to log the user out, then it would seem that it is a case of whichever page the previous one was, is where you want logged in users to be automatically logged out. It might be the case that the previous page (accessed through the back option) is the login page, where you would want logged in users to automatically be logged out.
To get a more accurate and more helpful answer, you should specify what behaviour you are expecting, and include details about the authentication system you are using (for example ASP.NET membership).