FormsAuthentication client-side problem

Discussion in 'ASP .Net Security' started by Marcio Kleemann, May 26, 2004.

  1. I'm using FormsAuthentication to secure access to a web site. The
    authentication process works correctly initially. The pages on the site have
    a "logout" button, which basically call FormsAuthentication.SignOut() and
    redirect the user to the login page.

    The problem is that after the user logs out, if they were to use their
    browser's "Back" button (or even enter the url to the page directly on the
    browser), they are allowed into that page. This is probably because the
    browser is simply re-rendering the page without going back to the server
    (I've verified that it does not go back to the server by placing a
    breakpoint on page_load). Interestingly enough, if you enter a url for a
    page on that web site that was not navigated to while the user had been
    authenticated, then it correctly kicks them to the login page. But any page
    that was visited during the authenticated session continues to be available
    on that browser even after SignOut.

    Since this needs to be solved on the client side, I'm trying to implement
    something using the client's onload event, which is raised every time the
    browser renders the page (whether through Back button, etc). But the problem
    is that with client-side scripting like javascript or vbscript I don't have
    access to session variables and such - which I could otherwise use to
    indicate that the user is no longer authenticated. So I'm at a loss as to
    how to handle this.

    If someone has dealt with this before, I'd much appreciate pointing me in
    the right direction.

    Thanks
     
    Marcio Kleemann, May 26, 2004
    #1
    1. Advertising

  2. Marcio,

    Try this in your Page_Load:

    Response.Cache.SetCacheability(HttpCacheability.NoCache);

    --
    Regards,
    Wes Henderson

    In order to help everyone, please direct all replies to this newsgroup.
    This posting is my personal effort to provide help and is not on behalf of
    any company.
    Also, this posting is provided "AS IS" with no expressed or implied
    warranties.

    "Marcio Kleemann" <notavailable> wrote in message
    news:%...
    > I'm using FormsAuthentication to secure access to a web site. The
    > authentication process works correctly initially. The pages on the site

    have
    > a "logout" button, which basically call FormsAuthentication.SignOut() and
    > redirect the user to the login page.
    >
    > The problem is that after the user logs out, if they were to use their
    > browser's "Back" button (or even enter the url to the page directly on the
    > browser), they are allowed into that page. This is probably because the
    > browser is simply re-rendering the page without going back to the server
    > (I've verified that it does not go back to the server by placing a
    > breakpoint on page_load). Interestingly enough, if you enter a url for a
    > page on that web site that was not navigated to while the user had been
    > authenticated, then it correctly kicks them to the login page. But any

    page
    > that was visited during the authenticated session continues to be

    available
    > on that browser even after SignOut.
    >
    > Since this needs to be solved on the client side, I'm trying to implement
    > something using the client's onload event, which is raised every time the
    > browser renders the page (whether through Back button, etc). But the

    problem
    > is that with client-side scripting like javascript or vbscript I don't

    have
    > access to session variables and such - which I could otherwise use to
    > indicate that the user is no longer authenticated. So I'm at a loss as to
    > how to handle this.
    >
    > If someone has dealt with this before, I'd much appreciate pointing me in
    > the right direction.
    >
    > Thanks
    >
    >
     
    Wes Henderson, May 27, 2004
    #2
    1. Advertising

  3. That did it - thanks!

    "Wes Henderson" <> wrote in message
    news:%...
    > Marcio,
    >
    > Try this in your Page_Load:
    >
    > Response.Cache.SetCacheability(HttpCacheability.NoCache);
    >
    > --
    > Regards,
    > Wes Henderson
    >
    > In order to help everyone, please direct all replies to this newsgroup.
    > This posting is my personal effort to provide help and is not on behalf of
    > any company.
    > Also, this posting is provided "AS IS" with no expressed or implied
    > warranties.
    >
    > "Marcio Kleemann" <notavailable> wrote in message
    > news:%...
    > > I'm using FormsAuthentication to secure access to a web site. The
    > > authentication process works correctly initially. The pages on the site

    > have
    > > a "logout" button, which basically call FormsAuthentication.SignOut()

    and
    > > redirect the user to the login page.
    > >
    > > The problem is that after the user logs out, if they were to use their
    > > browser's "Back" button (or even enter the url to the page directly on

    the
    > > browser), they are allowed into that page. This is probably because the
    > > browser is simply re-rendering the page without going back to the server
    > > (I've verified that it does not go back to the server by placing a
    > > breakpoint on page_load). Interestingly enough, if you enter a url for a
    > > page on that web site that was not navigated to while the user had been
    > > authenticated, then it correctly kicks them to the login page. But any

    > page
    > > that was visited during the authenticated session continues to be

    > available
    > > on that browser even after SignOut.
    > >
    > > Since this needs to be solved on the client side, I'm trying to

    implement
    > > something using the client's onload event, which is raised every time

    the
    > > browser renders the page (whether through Back button, etc). But the

    > problem
    > > is that with client-side scripting like javascript or vbscript I don't

    > have
    > > access to session variables and such - which I could otherwise use to
    > > indicate that the user is no longer authenticated. So I'm at a loss as

    to
    > > how to handle this.
    > >
    > > If someone has dealt with this before, I'd much appreciate pointing me

    in
    > > the right direction.
    > >
    > > Thanks
    > >
    > >

    >
    >
     
    Marcio Kleemann, May 28, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lau Lei Cheong
    Replies:
    1
    Views:
    625
    Lau Lei Cheong
    Oct 13, 2004
  2. =?Utf-8?B?QW50aG9ueSBXIERpR3JpZ29saQ==?=

    Server-Side/Client-Side Problem

    =?Utf-8?B?QW50aG9ueSBXIERpR3JpZ29saQ==?=, May 20, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    414
    =?Utf-8?B?QW50aG9ueSBXIERpR3JpZ29saQ==?=
    May 20, 2005
  3. Boss302
    Replies:
    0
    Views:
    1,061
    Boss302
    Nov 21, 2006
  4. Bogdan
    Replies:
    2
    Views:
    658
    Bogdan
    Jun 9, 2008
  5. Zoe Hart
    Replies:
    1
    Views:
    375
    Scott Wisniewski
    Jan 8, 2004
Loading...

Share This Page