L
Lauchlan M
Hi.
I have an app that is running cookieless.
(ie
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes"
cookieless="true"
timeout="20"
/>
)
The sesion variable is getting passed around in the url, as in
http://localhost/MyWebApp/(0ufczt45npgtutzha3l23x55)/MyPage.aspx
Now, at some point I blitz the session (I want to log out a user and login
is handled with sessions instead of form authentication) with
Session.Abandon() . But the session variable in the url for the next page I
go to is still the same, eg
http://localhost/MyWebApp/(0ufczt45npgtutzha3l23x55)/MyNextPage.aspx
So, how do I make sure the session gets blitzed in the URL as well as in the
HTTPSessionState?
The problem is that because it 'remembers' this session variable, it allows
going to pages that have already been visited previously in this 'session'
although the previous visit was actually someone elses session. So if I log
in as one kind of user in my web application and log out, and log in again
as a different user, I can still go to pages that I went to under the old
login when I shouldn't be able to.
Thanks!
Lauchlan M
I have an app that is running cookieless.
(ie
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes"
cookieless="true"
timeout="20"
/>
)
The sesion variable is getting passed around in the url, as in
http://localhost/MyWebApp/(0ufczt45npgtutzha3l23x55)/MyPage.aspx
Now, at some point I blitz the session (I want to log out a user and login
is handled with sessions instead of form authentication) with
Session.Abandon() . But the session variable in the url for the next page I
go to is still the same, eg
http://localhost/MyWebApp/(0ufczt45npgtutzha3l23x55)/MyNextPage.aspx
So, how do I make sure the session gets blitzed in the URL as well as in the
HTTPSessionState?
The problem is that because it 'remembers' this session variable, it allows
going to pages that have already been visited previously in this 'session'
although the previous visit was actually someone elses session. So if I log
in as one kind of user in my web application and log out, and log in again
as a different user, I can still go to pages that I went to under the old
login when I shouldn't be able to.
Thanks!
Lauchlan M