When i hit back in the browser the user is still logged in. can someone help please?
I'm assuming mean:
"After the user logs out, if they then press back in the browser the page says they are still logged in. How do I stop this?"
If so, what the user is seeing is the browsers cached version of the page - they are not actually still logged in, and if they were to browse elsewhere, then they would see that they are now logged out.
I often get around this by having the LoginStatus control have a LogoutAction of Redirect, and the LogoutPageUrl set to something like the homepage.
That is the correct behaviour for most web applications. Being logged in is a question of state, and does not rely on the page you are viewing.
If you want the back button to log the user out, then it would seem that it is a case of whichever page the previous one was, is where you want logged in users to be automatically logged out. It might be the case that the previous page (accessed through the back option) is the login page, where you would want logged in users to automatically be logged out.
To get a more accurate and more helpful answer, you should specify what behaviour you are expecting, and include details about the authentication system you are using (for example ASP.NET membership).
Related
Users get stuck in a login/out loop experience - ONLY on the /login screen.
I have a membership plugin activated (Restrict Content Pro) that utilizes a login shortcode which I'm using on a /login page. I have a global login/out link, utilizing wp_logout_url(); for logging out.
Behavior works as expected everywhere on the site except the login page. If I logout then return to the login page, I'm shown content as if I were logged in. If I attempt to logout from this page I'm thrown to the "You are attempting to log out of 'x'. Are you sure you want to do this?" error page.
The cookie 'wordpress_logged_in_' is also present only on this page. So, I'm under the impression this is why the site is displaying the 'logged-in content'. My question is - why would this specific cookie only be saved on this specific page? Can I completely destroy it on a log out?
Thanks in advance.
This issue seems to be persistent till date. Are there any updates on solutions for this? Seems to me that WP is not destroying all the cookies relevant to login. After investigating a little I found that the login cookie was set for a particular path(in my case it was /my-account). Maybe WP is missing this cookie as this is not set to /.
I am using forms authentication with Asp.Net 4. At the moment when the users click on logout link, I clear the session and call FormsAuthentication.SignOut() and this prevents the users from going back to the site without a logging in again.
Now I want to kill the session when the browser or tab is closed. I tried doing this by handling onbeforeunload event, but I ended up killing the session after clicking any internal links.
Any ideas how I can do this?
You can't, but you can come close to.
The authentication cookies are session only, that means that delete by browser when the browser close. Maybe you do not close all browsers tabs, but if you close them all the authentication cookies are lost.
About closing a tab, you do not know if the user have other tab opens.
A possible solution maybe is a call every 10 seconds back to the server to keep this authentication active or not, and set the authentication to end up after 20 seconds. So if not any signal come back, the user have gone. This can be done using javascript. From the other hand this can not let the user logout after some minutes of inactivity, so you may need a combination of this logic with something else.
The best you can do is when your user explicitly logs out to also call Session.Abandon() to remove that user's session. But like others have said there is no way of knowing if the tab/window just closes without doing a logout in this fashion. The session will just hang around on the server until it expires.
I answered another question that had a problem with session being killed when the user edited the web.config on a live site. They were tracking users still being logged in with Session variables (dangerous). But came up with a solution (untested solution) that could help people here.
FormsAuthentication allows you to maintain a person being active and logged in indefinitely. But if they become inactive for e.g. 20 mins they will be logged out which is nice. But to have them logged out at the time the close their browser is not possible (wait for it...) as setting the timeout value to 0 would cause them to be constantly logged in then out again.
So solution : at the time you log a person in using FormsAuthentication you could also set a standard session variable cookie that will be deleted when they close their browser. This cookie would have non-identifying non-account related information. Just a simple "loggedIn:yes".
Now all your code would need to have on it's masterpage/materlayout is a high level call in the page cycle or constructor of the page cycle (or even a custom attribute) that would check both cookie and the user identity:
if(!HasLoginCookie() || !System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
// redirect user to log in page.
}
Basically if the cookie is removed when the browser is closed, you will redirect the user to the log in page.
Hopefully that helps (and works. As I said untested).
I'm using Forms authentication. I have a small problem after the user logs out. If he hits the back button after he logs out, he's sent to the page he was on when he was logged in.
What is the best way to prevent that? I've looked around but it doesn't seem that there's one definitive approach. Ideally, I'm thinking I'd like to have a function on the master page or even in an httpmodule that checks to see if the user is logged in and if not, redirect him to the login. Is that the best way to do it?
Thanks.
As long as you do Session.Abandon() and FormsAuthentication.SignOut() on your Logout page it doesn't matter whether the user can go back to the previous page he was in, the moment he clicks on anything will be redirected to the Login page.
Example:
Page_Load login/logout page:
if (!IsPostBack)
{
FormsAuthentication.SignOut();
Session.Abandon();
}
You may turn of the cache ability of restricted pages by adding following statement in page_load event.
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Since the Back button in the browser is not controllable by ASP.NET (at least not in a way to disable it), I suggest that you do it like you suggested:
On every page, check to see whether the user is logged in, if not, redirect him to the login page, optionally with a goto parameter to redirect him back to the page he wants to navigate to after successfully being logged in.
I do it this way, too for most of our applications.
HttpContext.User has the IsAuthenticated property for you to check in every page. If you really want to use your custom session variable make sure you remove it or do Session.Abandon at logout and check for it in All pages anyway.
I have an asp.net website using the SQL ASP.net membership system. When users are logged in to the website and are inactive for 20 minutes, they get sent to the login page on the next page request. I would like to show some text on the login page that says "you were logged out due to inactivity" when this happens. Is there a built-in way to do this? Or any other ways I could distinguish why the user has been sent to the login page (for inactivity or some other reason)? I have scoured SO and Google but haven't been able to come up with anything.
The reason we need to do this is because we recently migrated from a previous version of the website that was lax about security and didn't have auto logout, so we're getting lots of feedback from users thinking there's something wrong with the website when they are prompted to login again.
Thanks in advance.
It is better to use javascript for this and be proactive about it, showing the timeout remaining if possible otherwise just alerting the user with a messagebox showing that his session has timed out and then redirecting him to the login page. Have a look here for a simple example.
To redirect him to the login page add the following to the below line as in the example:
alert("Your current Session is over."); window.location = "YourLoginPage.aspx";
For purposes of closure, I'll answer my own question. I couldn't find a clean way of doing what I'd like, so I ended up setting a cookie with the login time after the user logs in. Then on the login form page, I see if the login time in the cookie is greater than 30 minutes old (my auth timeout in asp.net) and display a "logged out due to inactivity" message. Otherwise it doesn't display the message.
Not great, but it seems to work. Satisfies the requirement for the vast majority of our users.
I am developing a simple email portal as my college assignment and I refer gmail for various features.Now when we sign into a gmail account and then if we hit the back button of the browser we somehow still remain on the inbox page.In my case after login if I press back button I comeback to the login page.Please suggest how can I achieve this.Also I am a newbie to ASP.NET so keep it detailed
Very simple. When loading the login page, check the user's current session state, and if they're already logged in, redirect them to their inbox.
The trick is to use javascript's "history.replace(...)" function:
http://www.hunlock.com/blogs/Mastering_The_Back_Button_With_Javascript
In essence, you remove previous history entries.