How can I stop user from navigating to the previous page - asp.net

I am developing a simple email portal as my college assignment and I refer gmail for various features.Now when we sign into a gmail account and then if we hit the back button of the browser we somehow still remain on the inbox page.In my case after login if I press back button I comeback to the login page.Please suggest how can I achieve this.Also I am a newbie to ASP.NET so keep it detailed

Very simple. When loading the login page, check the user's current session state, and if they're already logged in, redirect them to their inbox.

The trick is to use javascript's "history.replace(...)" function:
http://www.hunlock.com/blogs/Mastering_The_Back_Button_With_Javascript
In essence, you remove previous history entries.

Related

How to delete Iron Router history

I am using Iron router for meteor and want to create android mobile apps. I create login page that look like WhatsApp application. After user successfully login, i want to make sure that when user click back button,user will never go back to that page. Home page after login is the last page user will view if he keep click back button. So if user click two times back button in the homepage, the application will close.
I hope anyone understand my problem.
My problem is, the first time after user register, the android functionality to kill application after two times back click will not occur.Or can i replicate the two times back button function so if i am in my homepage(after login), and i click button two times, the application will close?
Iron:router has the option {replaceState: true} that you can use.
To accomplish this, all that you need to do is to change your Router.go('home') to Router.go('home', {}, {replaceState: true}) in your redirect hook after login.
With this when your use presses the back button, home will have replaced your login route in the history, and the user will not go to the login page.
EDIT: I just realised that's not exactly what you asked for, but it could help you somehow anyway. I'll try to replicate your case and will edit this post if I find a solution for your issue with exiting the application.
You could accomplish that by setting login page to be displayed only if user is not logged in.
Depends on your app structure you can use {{currentUser}} in html or Meteor.userId() in JS. One solution (the easy way) would be evaluating Meteor.userId() (true if user logged in) on login page route. If it turns out that user is already logged in, it redirects to home page for example.

Get reason for login prompt when using asp.net membership

I have an asp.net website using the SQL ASP.net membership system. When users are logged in to the website and are inactive for 20 minutes, they get sent to the login page on the next page request. I would like to show some text on the login page that says "you were logged out due to inactivity" when this happens. Is there a built-in way to do this? Or any other ways I could distinguish why the user has been sent to the login page (for inactivity or some other reason)? I have scoured SO and Google but haven't been able to come up with anything.
The reason we need to do this is because we recently migrated from a previous version of the website that was lax about security and didn't have auto logout, so we're getting lots of feedback from users thinking there's something wrong with the website when they are prompted to login again.
Thanks in advance.
It is better to use javascript for this and be proactive about it, showing the timeout remaining if possible otherwise just alerting the user with a messagebox showing that his session has timed out and then redirecting him to the login page. Have a look here for a simple example.
To redirect him to the login page add the following to the below line as in the example:
alert("Your current Session is over."); window.location = "YourLoginPage.aspx";
For purposes of closure, I'll answer my own question. I couldn't find a clean way of doing what I'd like, so I ended up setting a cookie with the login time after the user logs in. Then on the login form page, I see if the login time in the cookie is greater than 30 minutes old (my auth timeout in asp.net) and display a "logged out due to inactivity" message. Otherwise it doesn't display the message.
Not great, but it seems to work. Satisfies the requirement for the vast majority of our users.

multiple login pages in ASP.NET forms authentication

My bank's website has 2 login pages for online banking. On the first page, I enter my username. If I don't enter a valid username, I get an error message, and do not get to the 2nd page. The 2nd page displays a picture based on my user name, and has me enter my password. If I manually type a URL to a page inside the site after entering my username but before entering my password, I am redirected back to the first login page.
Is there a good way to implement this in ASP.NET with Forms Authentication? I only get 1 loginUrl in my web.config.
I am fairly certain my bank uses Java.
I do not find this a good idea, because this way any attacker know if the user name is the correct, then its need to know the password.
Second reason is that is more complicate and you need to be sure that you do not forget something on the way to login.
Third reason is that is not the common way to login, so people did not have use to it.
If you like to make the same, you need 2 pages, in the first you ask the user name, then you search on your local database if this is a valid user, then you keep this user name on a variable that you send on the second page that is the actual login. On the second page you have a common asp.net login module, but you have hide the user name, and at the same time you have set it with the value from the previous page. And then the rest is up to you.
Hey I know the bank on this one. Well provided it's the same bank there is another page that the user has to visit if they are on a computer thats never accessed the login before. Once the enter the user name they visit a question answer page where the question is a random one they picked when they first signed up or at least when they thought up this cockeyed login page. Then they visit the password page.
You can implement this yourself if you are using the built in AspNetSqlMembershipProvider provider you can customize the built in login control and override the OnLoggingIn method. You can then do what ever checks you need on that login and move it to another page. On the next page you can override other methods the same way like: OnAuthenticate, and OnLoggedIn while still using the built in control (but customized) if needed. Then you can set the login page in your web.config to your first login page. You can see MSDN for other methods as well.
Now as already pointed out this is not ideal because it's not typical and most users will not understand what is going on or think it's flaky (just like i do about the bank). Not to mention you will need to do additional checks similar to how that bank is doing it to make sure everything is legit coming from the client. So in the end I wouldnt recomend it, it's to much hassle for the end user mainly.

How to redirect user to the previous page (where session expired) after logging in?

I am maintaining a session for user login.
Consider a scenario that, User working on page20 with his account credential.
He is idle for the session variable time out. Then he start working on page20 and click link of page21.Here session is expired so he'll redirect to Login page.
After successful logged in, User should redirect to the page21.
So how do I achieve it?
The first method that comes to mind is to send the information through a get/post-variable. When you perform the session-check at page21 (I assume) and redirect the user to the login page, you can append the pagename to the address, i.e. redirect to something like www.xyz.com/login.htm?page21 (or if you don't want the pagename to be visible, use post instead). Then simply use that information when the user logs in again to redirect him/her to page21.
Hope that helps.
if you are using forms authentication, there is an inbuilt mechanism to do that, here it is. It will automatically redirect the user to the URL Referrer page
If (FrameworkManager.Authenticate(username, pwd)) Then
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(username, rememberme)
end if
Really it depends on how you're using your session. If you're keeping all of the information the user enters on screens 1-20 in session, you're going to lose it all once their session expires, so you're out of luck anyway.
If you're storing everything from each page in a database, or some other mechanism, then it should be easy to tell what the last piece of information the user entered. Alternatively, you could also store the url or name of the last page the user submitted in the database.
When they log in, determine which page they should be on, then just redirect them.
If you are doing a Server.Transfer to the login page than Request.Urlreferrer would be URL of the Page21.
Where would you put this code?
If (FrameworkManager.Authenticate(username, pwd)) Then
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(username, rememberme)
end if
If user wants to login again through another browser then in this situation you must add status column in your database and check if the status is true
then you have to redirect this user on last visited page.So save the visited page through cookies and get back page name and redirect on the page.

hit back in the browser

When i hit back in the browser the user is still logged in. can someone help please?
I'm assuming mean:
"After the user logs out, if they then press back in the browser the page says they are still logged in. How do I stop this?"
If so, what the user is seeing is the browsers cached version of the page - they are not actually still logged in, and if they were to browse elsewhere, then they would see that they are now logged out.
I often get around this by having the LoginStatus control have a LogoutAction of Redirect, and the LogoutPageUrl set to something like the homepage.
That is the correct behaviour for most web applications. Being logged in is a question of state, and does not rely on the page you are viewing.
If you want the back button to log the user out, then it would seem that it is a case of whichever page the previous one was, is where you want logged in users to be automatically logged out. It might be the case that the previous page (accessed through the back option) is the login page, where you would want logged in users to automatically be logged out.
To get a more accurate and more helpful answer, you should specify what behaviour you are expecting, and include details about the authentication system you are using (for example ASP.NET membership).

Resources