Prevent viewing a restricted page page on pressing back/forward button - asp.net

I am trying to implement Login/Logout functionality in my website without using inbuilt functionality of Login controls in ASP.NET. In some pages, which require the user to be logged in, I have written this in Page_Load
if (Session["cod"] == null && Session["admin"] == null)
{
Response.Redirect("You need to Login.aspx");
}
if (Session["cod"] != null || Session["admin"] != null)
{
LinkButton1.Text = "Logout";
}
if (Page.IsPostBack == false)
{
log_bind();
grid1_bind();
grid2_bind();
}
But while I was testing this, I noticed that when I press the Back/Forward button on the browser, these pages are viewable without being logged in. How do I prevent this?

This has nothing to do with the login controls, but as others state, the caching of the page.
The trick is to tell the browser that it can't cache the page.
Look at this post, and its solution:
Disable browser cache for entire ASP.NET website

I think that even if you do not use ASP.NET login controls you should still use the Principal/Identity classes and verify if a user is Authenticated or not. That is surely the safest way.

I don't know of any reliable way to do this. Once a page has been viewed, it's on the user's computer. If they hit the back button, they are looking at a cached version anyway so I can't imagine why this would be an issue.
As long as they can't refresh the page to get the latest content, what does it matter if they're able to look at a page they already accessed?

Have you tried wrapping the whole function in
if (!IsPostBack)
{
}

The browser may simply be showing you a cached version of the page, try to attach a debugger to the page load event and check to see if:
It is actually hitting the server when you hit back and forward
The values in the session state, whether they are consistent with a logged out user.
If the values in the session are consistent with a logged in user then you have to check your session clearing logic.
It is however best to use the asp.net controls or the system.web.security.FormsAuthentication class to perform functions like logging in and logging out based on custom logic.

Related

REST API Wordpress back button

I have been trying for a while to find a method to prevent the the browser from using cached data while the user is logged out. I am trying to force the browser to use the information from the database once the user is logged out instead. This will prevent the back button from exposing information on previously visited pages from being shown. I have used the PHP destroy session. I do not have a clue how to work with REST API.
Well, the REST API doesn't have anything to do with the frontend, but there are ways you can force the frontend page to reload on the back button being pressed.
Here is a similar question.
Essentially, you need to store some local storage data that get's checks on page load and force the page to refresh.
Page One
<script>
if (sessionStorage.getItem("Page2Visited")) {
sessionStorage.removeItem("Page2Visited");
window.location.reload(true); // force refresh page1
}
</script>
Page Two
<script>
sessionStorage.setItem("Page2Visited", "True");
</script>
Now, this isn't full-proof. If a user has javascript turned off or has some other block or something in there, it won't work. Companies do not allow sites to control a users browser. And for very good reason. But something like this can be a partial solution for the majority of users.

how to stop user to use back button

I have one button on page, page name abc.aspx . when user click on that button
it should redirect to finishwork.aspx page.
After finishwork.aspx page user must not go back to abc.aspx page. when user press back button in browser, he should be redirect to workallreadyfinish.aspx page
Disable caching on that pages and avoid caching the page.
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
location.replace() can be used to replace your page in the history.
There are many ways to accomplish this, but, as you are using ASP.NET and I'm going to assume, WebForms, why don't you make use of the <asp:Wizard> control?
You will be able to have a much detailed control over your steps and block the user to go back and all sort of nice things.
If you want to take the normal way, you can always warn the user that the page will no longer be valid using a javascript event.
You can also make use of hashing and submit the form by an ajax call instead of a normal POST
You can write a cookie once the form is submitted and the next time, show such warning, so even if the user goes back and press the Submit button again, you will not care. Remember to erase the Cookie on if (!Page.IsPostBack) { ... }
Having your user workflow around the browser back button is not such a good idea.
Browser back buttons are not entire in your control.
If you want to provide a logical back in your application, use a back button in your application.
If you only want that a user cannot go back to a page, you should tell the browser not to cache it set the page to expire.
You can use javascript function for this:-
function disableBackButton()
{
window.history.forward();
}
setTimeout("disableBackButton()", 0);

ASP.NET Page Life Cycle Issues

Apparently I am not familiar with the Life Cycle of a page in ASP.NET. This became apparent when I wanted to dispose of a Session variable after I left the page. I did what made the most sense:
protected void Page_Unload(object sender, EventArgs e)
{
Session.Remove("ServiceSearch");
}
What I didn't know is that this would be called when I go from AND to the page. What I am wanting to do is dispose of that Session variable whenever the user leaves the page. How do I do this?
Page_Unload refers to unloading the Page object right before it is disposed after parsing and creating the page. It has nothing to do with leaving the page. Like #Nick says, there is really no good way to tell that, except to control every exit path. And you can't, because you can't control when the user hits back, or goes to google.com and then pastes in the url they were just at into the browser, etc.
If you want to remove the Session variable just so it doesn't get re-used unintentionally, a better solution is to overwrite the Session variable every time you enter the page, and just let it be disposed with the session on its own time when the session expires.
Session data is useful for storing data beyond the lifetime of a page. If you don't want to store it beyond the life of a page then Session data is not for you here.
If the user leaves the page via a link you could possibly create a link button that is hooked up to a method on the same page. That method would remove the session and do the redirect.
I would hope there is a better solution though. Although, from my understand, there is no page event to use in your case because the page would have to reload to execute the remove session code. When the user leaves via some link the page is not reloaded.
You may possibly be able to handle it via javascript. I've been in situations where I wanted to leave and I got a popup box about some bs. You could probably use the same technique to fire AJAX to remove the session.
I faced a similar situation on php login- a logged-in user could use the arrow back and forth to login page. So, I simply add :
session_start();
session_unset();
session_destroy();
above the html script of the login page so that if the logged-in user arrowed back, the session is both unset and destroyed. Any attempt to arrow forward will only lead to the login page-requesting user login credentials-essentially, the user is logged out any time they arrow back!
Hope this helps!
Alfred

Back button must not go to previous page after signing out

I am developing an asp.net web site and I am not using inbuilt authentication controls of asp.net. I have created manually tables for users for site.
What I want is as follows
After logging in user can access the pages (that is already done)
When user press sign out (user goes to specific page - example - default.aspx)
Now when user press "back" button of browser, it must not go to previous page (that is done in Yahoo pages - I want to implement the same)
To prevent users from seeing the previous page when pressing the back button you need to instruct the browser not to cache this page:
Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
You could put this code in all authenticated pages, thus preventing them from being cached on client browsers.
For a page not to be cached the browser needs to respond appropriately to caching instructions, but there is no guarantee that this will work on every browser! (An appropriately evil person could write their own browser to ignore caching information, or write a proxy to strip it out...)
So you can't get this to work 100% of the time, but you're always going to face the problem that a user can easily take a screenshot, print out a page, save a copy on their disk, etc. once you've fed a page to them anyway...
the answer for you question is:
for When user press sign out. ( user goes to specific page - example - default.aspx )
you can add a LinkButton as Signout link and in the click event handler you can write
Response.Redirect("Default.aspx");
for Now when user press "back" button of browser It must not go to previous page
//add the following code to your code behind of the page
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
string strDisAbleBackButton;
strDisAbleBackButton = "<script language="javascript">\n";
strDisAbleBackButton += "window.history.forward(1);\n";
strDisAbleBackButton += "\n</script>";
ClientScript.RegisterClientScriptBlock(this.Page.GetType(), "clientScript", strDisAbleBackButton);
}
refer to csharpdotnetfreak.blogspot.com

How to disable browser postback warning dialog

I have an asp.net application that runs exclusively on IE7 (internal web site).
When a user needs to enter data, I pop up a child window with a form. When the form closes, it calls javascript:window.opener.location.reload(true) so that the new data will display on the main page.
The problem is that the browser complains that it must repost the page. Is there any way to turn this feature off?
No, but there is a solution. Its generally considered good design to use a 302 redirect immediately after someone posts data to a page. This prevents that popup from ever occuring. Allow me to elaborate.
1) The user fills in a form and submits data via POST.
2) The backend receives the data and acts upon it.
3) Instead of returning the content to the user, the backend issues a 302 redirect as soon as its done processing the page (possibly redirecting the user back to the exact same url, if need be)
4) The page that the user will see is the page you told their browser to redirect to. They will load up the redirected page with a standard GET request. If they try to refresh the page, it will not repost the data. Problem solved.
This is a problem with the usual "postback" way of ASP.NET. If you need to reload a page without this warning, this page must come from a GET, not a POST. You could do a Response.Redirect("...") yourself. But this will destroy the use of viewstate.
asp.net mvc fixes this issue, not an ie7 only problem but a security feature of most browsers. No fix that I know of except you could just update the content in the main form with js rather than reloading the whole page
It's because the page in window.opener comes from a POST Request
Maybe you can use
javascript:window.opener.location = window.opener.location; to do just a GET request if the data can be fetched without a POST.
I do not believe that there is a way to do that. Instead, why not direct the parent window to a page without a reload.
javascript:window.opener.location='your url'
AFAIK, not via your scripts.
You might try:
window.opener.location = '#';
It should circumvent the browser reposting. And, you can adjust the hash name as needed.
If you move from page1 to page2, and want to disable the browser from going back to page 1,then add the following at the top of page1.
<script>
if(window.history.forward(1) != null)
window.history.forward(1);
</script>

Resources