How do I make sure that a asp page expires immediately and is not stored in the history ???

Discussion in 'ASP General' started by divya, Oct 4, 2006.

  1. divya

    divya Guest

    I have a page name edit.asp which should expire immediately .The user
    cannot open this page directly he has to provide a password for
    entering this page.thus when the user enters edit.asp , it has a button
    EDIT ,which when user clicks directs him to another page (done.asp).
    Now the problem is that from this page (done.asp) if he clicks on the
    back button on the toolbar then edit.asp opens.But I don't want it to
    open It should show page has expired .Because he is entering without
    providing password and can also edit the record second time by hitting
    EDIT button. How do I make sure edit.asp page expires immediately or is
    not stored in the history ??? I tried using response.expires= - 400
    but this doesn't work.Do I need some javascript which stops edit.asp
    from getting stored in the HISTORY??? Kindly help with some solution.
    divya, Oct 4, 2006
    #1
    1. Advertising

  2. "divya" <> wrote in message
    news:...
    > I have a page name edit.asp which should expire immediately .The user
    > cannot open this page directly he has to provide a password for
    > entering this page.thus when the user enters edit.asp , it has a button
    > EDIT ,which when user clicks directs him to another page (done.asp).
    > Now the problem is that from this page (done.asp) if he clicks on the
    > back button on the toolbar then edit.asp opens.But I don't want it to
    > open It should show page has expired .Because he is entering without
    > providing password and can also edit the record second time by hitting
    > EDIT button. How do I make sure edit.asp page expires immediately or is
    > not stored in the history ??? I tried using response.expires= - 400
    > but this doesn't work.Do I need some javascript which stops edit.asp
    > from getting stored in the HISTORY??? Kindly help with some solution.
    >


    Not much you can do about this. Think of it this way if the user were to
    navigate to the done.asp using open in new window feature would you be able
    to do anything about them bringing the original window into the foreground?

    In effect a browsers like IE implements many navigations in this way but the
    reuse the client area of the browser to show the new window. When you click
    back it simple returns the still existing loaded web page to the client
    area. Obviously there comes a point where if you click back enough that the
    browser will be forced to reload the page. The HTTP rules covering caching
    end at the point the resource content is delivered to the browser. What the
    browser does with that resource and when it feels the need to re-request
    that resource is entirely it's business.
    Anthony Jones, Oct 4, 2006
    #2
    1. Advertising

  3. divya

    Mike Brind Guest

    "divya" <> wrote in message
    news:...
    >I have a page name edit.asp which should expire immediately .The user
    > cannot open this page directly he has to provide a password for
    > entering this page.thus when the user enters edit.asp , it has a button
    > EDIT ,which when user clicks directs him to another page (done.asp).
    > Now the problem is that from this page (done.asp) if he clicks on the
    > back button on the toolbar then edit.asp opens.But I don't want it to
    > open It should show page has expired .Because he is entering without
    > providing password and can also edit the record second time by hitting
    > EDIT button. How do I make sure edit.asp page expires immediately or is
    > not stored in the history ??? I tried using response.expires= - 400
    > but this doesn't work.Do I need some javascript which stops edit.asp
    > from getting stored in the HISTORY??? Kindly help with some solution.
    >


    Going on from what Anthony said, create a session variable when the user
    logs in to edit.asp. When they submit the page, check for the existence of
    the variable before commiting any updates to the database. Once the update
    has ocurred, remove the session variable. That way, they will have to log
    in to the edit.asp page again to be able to change anything. They will
    still see the page in their history, but if they tried to submit it, your
    code will spot the absence of the session variable and redirect them
    somewhere else.


    --
    Mike Brind
    Mike Brind, Oct 4, 2006
    #3
  4. divya wrote:
    > I have a page name edit.asp which should expire immediately .The user
    > cannot open this page directly he has to provide a password for
    > entering this page.thus when the user enters edit.asp , it has a
    > button EDIT ,which when user clicks directs him to another page
    > (done.asp). Now the problem is that from this page (done.asp) if he
    > clicks on the back button on the toolbar then edit.asp opens.But I
    > don't want it to open It should show page has expired .Because he is
    > entering without providing password and can also edit the record
    > second time by hitting EDIT button. How do I make sure edit.asp page
    > expires immediately or is not stored in the history ??? I tried
    > using response.expires= - 400 but this doesn't work.Do I need some
    > javascript which stops edit.asp from getting stored in the HISTORY???


    If edit.asp is posting back to itself, then you could always send this on
    successful submission:

    window.location.replace("done.asp")

    Alternately, you could put edit.asp in a pop-up, and close the window upon
    submission.

    Either of these requires the client to cooperate, so Mike's session variable
    suggestion would be a good complement.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms.
    Dave Anderson, Oct 4, 2006
    #4
  5. divya

    divya Guest

    Re: How do I make sure that a asp page expires immediately and is not stored in the history ???

    Thank you Mike, Anthony, Dave for the solutions.I used the session
    variables method.
    Just before entering the Edit.asp I initialized the variable
    Session("Entered")=True
    now when user clicks on EDIT I chk for the Session("Entered") and if
    its true update the record and do Session.Abandon .
    session.Abandon removes the session variables destroys that session.
    Few observations I made while practicing session variables :-
    1.The session id remains the same when I write response.write
    session.sessionid before and after session.abandon.

    response.write session.SessionId
    session.Abandon
    response.write session.SessionId

    but now when I refresh the page the sessionid changes.

    2.Is there a way by which instead of closing the whole session using
    session.abandon which removes all the session variables,I free only few
    session variables which I know are not needed after a point??

    3.When I say open in new window,the session id remains same for both
    the windows.
    My understanding:- I think this happens because the session id is
    appended at the end of the URL when its sent to the server.Not sure

    4.assuming that there are no session variables used in any of the
    pages, still Is the session id assigned to a user when he requests for
    a page ??When does a session start??Is it when a session variable is
    defined or when a user requests the server for a ASP page or a Static
    Html page ?

    5. When a Isapi filter like cookie munger is used ,b4 sending an ASP
    page to client it parses the HTML for hyperlinks and at the end of the
    hyperlink URL adds the synthesized
    Session id for the client.Is this added the same way a querystring is
    added to URL" ?..."
    Might be the synthesized Sessionid looks like something which a client
    who accpets cookies sends to server ,but in this case is calculated by
    Cookie Munger and added to all the hyperlinks present in the ASP page.



    Dave Anderson wrote:
    > divya wrote:
    > > I have a page name edit.asp which should expire immediately .The user
    > > cannot open this page directly he has to provide a password for
    > > entering this page.thus when the user enters edit.asp , it has a
    > > button EDIT ,which when user clicks directs him to another page
    > > (done.asp). Now the problem is that from this page (done.asp) if he
    > > clicks on the back button on the toolbar then edit.asp opens.But I
    > > don't want it to open It should show page has expired .Because he is
    > > entering without providing password and can also edit the record
    > > second time by hitting EDIT button. How do I make sure edit.asp page
    > > expires immediately or is not stored in the history ??? I tried
    > > using response.expires= - 400 but this doesn't work.Do I need some
    > > javascript which stops edit.asp from getting stored in the HISTORY???

    >
    > If edit.asp is posting back to itself, then you could always send this on
    > successful submission:
    >
    > window.location.replace("done.asp")
    >
    > Alternately, you could put edit.asp in a pop-up, and close the window upon
    > submission.
    >
    > Either of these requires the client to cooperate, so Mike's session variable
    > suggestion would be a good complement.
    >
    >
    >
    > --
    > Dave Anderson
    >
    > Unsolicited commercial email will be read at a cost of $500 per message. Use
    > of this email address implies consent to these terms.
    divya, Oct 13, 2006
    #5
  6. divya

    Evertjan. Guest

    Re: How do I make sure that a asp page expires immediately and is not stored in the history ???

    divya wrote on 13 okt 2006 in microsoft.public.inetserver.asp.general:

    > 2.Is there a way by which instead of closing the whole session using
    > session.abandon which removes all the session variables,I free only few
    > session variables which I know are not needed after a point??
    >


    Session.Contents.Remove(name|index)

    Session.Contents.RemoveAll()


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
    Evertjan., Oct 13, 2006
    #6
  7. Re: How do I make sure that a asp page expires immediately and is not stored in the history ???

    "divya" <> wrote in message
    news:...
    > Thank you Mike, Anthony, Dave for the solutions.I used the session
    > variables method.
    > Just before entering the Edit.asp I initialized the variable
    > Session("Entered")=True
    > now when user clicks on EDIT I chk for the Session("Entered") and if
    > its true update the record and do Session.Abandon .
    > session.Abandon removes the session variables destroys that session.
    > Few observations I made while practicing session variables :-
    > 1.The session id remains the same when I write response.write
    > session.sessionid before and after session.abandon.
    >
    > response.write session.SessionId
    > session.Abandon
    > response.write session.SessionId
    >
    > but now when I refresh the page the sessionid changes.
    >


    Session.Abandon marks the session as abandoned. The Session object will be
    destroyed once the currently running script completes. Hence you can still
    use the session object after an abandon in the script but any changes etc
    will be lost as soon as the request is completed.

    > 2.Is there a way by which instead of closing the whole session using
    > session.abandon which removes all the session variables,I free only few
    > session variables which I know are not needed after a point??
    >


    As Evertjan points out use Session.Remove to destroy the marker you are
    using rather than the session object as a whole

    > 3.When I say open in new window,the session id remains same for both
    > the windows.
    > My understanding:- I think this happens because the session id is
    > appended at the end of the URL when its sent to the server.Not sure
    >


    A the SessionID is sent returned as a temporary cookie rooted at the
    application path. Hence any requests to pages and files within you
    application will receive this ID cookie in the http headers. ASP can use
    this cookie to look up and install the correct session object into the
    script context for the ASP page.

    A new window will not launch a new browser process just creates a new window
    in the existing process. Hence any temporary cookies installed in the
    process will be sent as appropriate in any requests generated by this new
    window.


    > 4.assuming that there are no session variables used in any of the
    > pages, still Is the session id assigned to a user when he requests for
    > a page ??When does a session start??Is it when a session variable is
    > defined or when a user requests the server for a ASP page or a Static
    > Html page ?
    >


    When the first ASP request is made. Regardless of whether the ASP page make
    use of the session object the script processor needs to create one to put
    into the context in case it is needed.

    > 5. When a Isapi filter like cookie munger is used ,b4 sending an ASP
    > page to client it parses the HTML for hyperlinks and at the end of the
    > hyperlink URL adds the synthesized
    > Session id for the client.Is this added the same way a querystring is
    > added to URL" ?..."
    > Might be the synthesized Sessionid looks like something which a client
    > who accpets cookies sends to server ,but in this case is calculated by
    > Cookie Munger and added to all the hyperlinks present in the ASP page.
    >


    This sounds like a filter designed to make ASP work with browsers that
    aggressively reject any form of cookie. The cookie munger is tracking at
    least the Set-Cookies of ASPSessionXXXXX and adding them to the querystrings
    of links, src, hrefs it finds in the outgoing response and any subsequent
    responses.

    When it sees these querystring entries on a request it extracts them and
    creates the appropriate cookie headers in the response before passing the
    request on. Hence ASP sees what it expects even though the client has
    disallowed cookies.


    >
    >
    > Dave Anderson wrote:
    > > divya wrote:
    > > > I have a page name edit.asp which should expire immediately .The user
    > > > cannot open this page directly he has to provide a password for
    > > > entering this page.thus when the user enters edit.asp , it has a
    > > > button EDIT ,which when user clicks directs him to another page
    > > > (done.asp). Now the problem is that from this page (done.asp) if he
    > > > clicks on the back button on the toolbar then edit.asp opens.But I
    > > > don't want it to open It should show page has expired .Because he is
    > > > entering without providing password and can also edit the record
    > > > second time by hitting EDIT button. How do I make sure edit.asp page
    > > > expires immediately or is not stored in the history ??? I tried
    > > > using response.expires= - 400 but this doesn't work.Do I need some
    > > > javascript which stops edit.asp from getting stored in the HISTORY???

    > >
    > > If edit.asp is posting back to itself, then you could always send this

    on
    > > successful submission:
    > >
    > > window.location.replace("done.asp")
    > >
    > > Alternately, you could put edit.asp in a pop-up, and close the window

    upon
    > > submission.
    > >
    > > Either of these requires the client to cooperate, so Mike's session

    variable
    > > suggestion would be a good complement.
    > >
    > >
    > >
    > > --
    > > Dave Anderson
    > >
    > > Unsolicited commercial email will be read at a cost of $500 per message.

    Use
    > > of this email address implies consent to these terms.

    >
    Anthony Jones, Oct 13, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page