J
js
In my project I have both ASPX and classic ASP. Four things in
question are the entry page(Main.aspx), the logon page(logon.ASP), .Net
Session, legacy ASP Session. The Main.apsx contains a Logon button
(ImageButton) and a Logout button (ImageButton).
On click the logon button, the logon.asp screen appears if the user
never logon in the current session before. On click the logout button,
the .Net Session is abandoned. Please not the Logout button is a user
control (a ascx which is registered in Main.aspx) which expose a public
void method that does
Session.Clear();
Session.RemoveAll();
Session.Abandon();
Server.Transfer(/Main.aspx);
Upon displaying logon.asp page, the .Net Session is serialized to SQL
Server. The Logon.ASP picks up the session content. If no user
credential is found, then the page asks the user to logon, otherwise it
uses the user's credential to enter the secured area of the site.
Two problems:
1. When user clicks the logout button the Session is not really
abandoned because I can still see the user credential on screen.
However, a new session ID is created.
2. If the user has logon once in the current session, then logout.
When the user clicks the logon button on the Main.aspx which redirects
the user to the Logon.ASP page, but the user does not enter user name
and password. Instead he clicks the site banner which redirects him
back to Main.aspx. The Main.aspx for some reason will retrieve his
credential from session that is supposed to be abandoned by now.
question are the entry page(Main.aspx), the logon page(logon.ASP), .Net
Session, legacy ASP Session. The Main.apsx contains a Logon button
(ImageButton) and a Logout button (ImageButton).
On click the logon button, the logon.asp screen appears if the user
never logon in the current session before. On click the logout button,
the .Net Session is abandoned. Please not the Logout button is a user
control (a ascx which is registered in Main.aspx) which expose a public
void method that does
Session.Clear();
Session.RemoveAll();
Session.Abandon();
Server.Transfer(/Main.aspx);
Upon displaying logon.asp page, the .Net Session is serialized to SQL
Server. The Logon.ASP picks up the session content. If no user
credential is found, then the page asks the user to logon, otherwise it
uses the user's credential to enter the secured area of the site.
Two problems:
1. When user clicks the logout button the Session is not really
abandoned because I can still see the user credential on screen.
However, a new session ID is created.
2. If the user has logon once in the current session, then logout.
When the user clicks the logon button on the Main.aspx which redirects
the user to the Logon.ASP page, but the user does not enter user name
and password. Instead he clicks the site banner which redirects him
back to Main.aspx. The Main.aspx for some reason will retrieve his
credential from session that is supposed to be abandoned by now.