In my ASP.NET site, when a user clicks logout, I call FormsAuthentication.SignOut and Session.Abandon and redirect them to the login page. This works fine.
However, when I click "back" in the browser I can still see the last page viewed before logout was clicked. When I click on anything I am returned to the logon page as expected.
Is there anyway to expire the page that logout was clicked on so that users never see it when they click back?
Prevent credential and content caching:
First, ensure the forms cookie is not being created sticky:
FormsAuthentication.SetAuthCookie(userName, false);
Next, a little something in the Global.asax to prevent page requests from caching:
public override void Init()
{
base.Init();
BeginRequest += new EventHandler(OnBeginRequest);
}
void OnBeginRequest(object sender, EventArgs e)
{
if (!(Request.Path.EndsWith("Resource.axd")))
{
Response.Cache.SetExpires(DateTime.UtcNow.AddSeconds(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
}
}
The combination of the above two approaches has fixed a similar issue in a few apps I've worked on. We intentionally allowed .axd file caching to keep performance impact as minimal as possible - we have heavy use of third party controls that generate axd requests in the background.
Related
I've got a page to submit data into a database and I want to either re-direct them to a different page if they arent logged in OR disable the submit button at the bottom. I'm doing this in my page load event of the page to be denied access.
I've researched and found this in many spots but what exactly am I placing into Session["???"] I'm using the login/register feature provided by asp.net Web Forms
protected void Page_Load(object sender, EventArgs e)
{
if (Session[] == null)
{
Response.Redirect("~/Default.aspx");
}
}
You can use HttpContext.Current.User.Identity.IsAuthenticated to check if there is authenticated user or not
You want to check if the user who made that page requested is authenticated or not. You can do that by checking User property of Request object like Request.User.IsAuthenticated
If(!Request.User.IsAuthenticated)
Response.Redirect("~/Default.aspx");
I've created a custom login module for DNN with mixing authentications: 1) Authenticate thru ADFS. 2) Authenticate with regular forms authentication. Everything is working except:
protected void Adfs_Click(object sender, EventArgs e)
{
HttpContext.Current.GetOwinContext()
.Authentication.Challenge(new AuthenticationProperties { RedirectUri = redirectUrl },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
the first click reloads the page and always works the second time. I've tried to disable the forms authentications like this post suggest, but because I'm working with DNN I can't do that.
I also test triggering the event on the Page_Load and works, but I want to allow the DNN native users to be able to login direct to DNN (host user) ... so I can't do the challenge there either.
Any help on what should I do to make the challenge works with the first click?
Thanks in advance.
I have an asp.net web page that has a 60 second idle-time window before the session will expire. Is there a way (either through asp, or c# code behind) to close the browser - or preferably just the tab - in the Session_End event?
I've seen a lot of posts on SO that want to do the opposite (end the session on browser close), but not what I need.
You can't close the browser but you can redirect to a "Session Expired" page by doing this:
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
this.PageHead.Controls.Add(new LiteralControl(
string.Format("<meta http-equiv='refresh' content='{0};url={1}'>",
Session.Timeout * 60, "SessionExpired.aspx")));
}
You can look at this example - Alert Session Time out in ASP.NET
It basically warn the user before timeout (For example, Bank Of America site). Once it reaches the time limit, redirect user to a logout page.
FYI: User will get mad if you redirect or close a page without warning.
I've got a requirement such that, when a user logs in while completing a multi-form data submission process, their profile is checked against the data they've already submitted and certain classes of users will be shown an alert message; i.e. some users get a popup message when they login.
The popup will use the ModalPopupExtender from the Ajax toolkit which is in line with similar functionality elsewhere in the code base.
The problem I've got is that as soon as the user is validated, the user is always redirected to the originating page; I want to suspend this action until the user has been shown the message and then perform the redirection when the user clicks to dismiss the message.
Can anyone suggest a solution to this (using .NET 3.5)?
EDIT
Since it's been asked for, the login page has a user control which contains an control. The control handles the OnAuthenticate event which basically calls:
protected void Login_Authenticate(object sender, AuthenticateEventArgs e)
{
bool isValidUser = Membership.ValidateUser(FullLogin.UserName, FullLogin.Password);
if (isValidUser)
{
e.Authenticated = true;
}
...
}
It also handles the LoggedIn event which performs some business logic and raises a 'LogInSuccessful' or 'LoginFailed' event handled by the page. A successful login will the redirect the user back to the originating page.
I've already refactored out the manual redirection code to be called when the info box is dismissed but it appears that forms authentication is redirecting the user automatically which is the behaviour I'm trying to override.
When you login with forms authentication, user is carried to the login form and back to the origination page by asp.net.
Once you have authenticated the user, it will take him back to the originating page.
If you have to do it on this page, you must for this group of users, cancel the authenticate and then show the message.
protected void Login_Authenticate(object sender, AuthenticateEventArgs e)
{
bool isValidUser = Membership.ValidateUser(FullLogin.UserName, FullLogin.Password);
Session["isValidUser"] = isValidUser;
if (!Session.ContainsKey("isValidUser"))
{
e.Authenticated = false;
}
else
{
e.Authenticated = (bool)Session["isValidUser"];
}
...
}
When the user clicks the ok button, you must then postback and authenticate the user. This will need you to store the result of authenticate from the previous call in session.
It might be simpler to put this message in a common master page, let asp take the user back to the originating page and show the message there.
I have an ASP.NET Role/Membership based forms authentication site. There's a subfolder and its pages which can be accessed only by a certain role. The problem is, login page does not display any error message if any user from non-allowed role group logins in login page. I mean, when a user from AllowedRole logins, the login page redirects the user correctly to the protected page, but when a user from NonAllowedRole tries to login, he/she correctly logs in but there are no error messages displayed, the user is back to the login page without any information. I do have a FailureText set in Login form but it's not displayed. loginForm.LoginError event is also doesn't get raised. I tried this code but it doesn't display either:
protected void frmLogin_LoggedIn(object sender, EventArgs e)
{
if (!User.IsInRole("AllowedRole"))
frmLogin.FailureText = "Access denied.";
//Label1.Text = "Access denied."; //doesn't work either
}
What am I doing wrong?
On thing you can do is check the ReturnUrl query string parameter and if it's you "denied" folder, redirect the user to either an error page or an allowed login page. Like this:
protected void frmLogin_LoggedIn(object sender, EventArgs e)
{
if (!User.IsInRole("AllowedRole") &&
InRestrictedArea(Request.QueryString["ReturnUrl"]))
{
Response.Redirect("Not-Allowed-Here.aspx");
}
}
Define InRestrictedArea to check if the requested area is where they aren't allowed.
I don't know where to find the documentation to support this. This answer is based on observation of the behavior I've seen io apps I've written.
The login page is exluded from the allowed access rules. It needs to be. Say you have a site where the whole site disallows anonymous users, even at the root level. The users need to be able to access the login page to be able to log in.
To resolve your dilemma you would need to add a label (I would call it lblError) and in your Page_Load, add the following (C# example code):
if(User.IsLoggedIn)
{
If(!User.IsInRole("AllowedRole")
{
lblError.Text = "Access denied.";
}
}
Added
Gving this more thought, the reason there is no error in the login page is that the error is happening when the user attempts to access the protected page, not within the login page.
However, I believe my suggestion will work for your situation as well.