I've been trying to expire the session after the user logs out of my site. I have a "logout" link in the site. Previously, when the user clicked the logout link, i closed the window. But the window was not from a user generated script so it would display a confirmation dialog. Then I changed the page to redirect to a page on clicking logout which would abandon the session. But if the user clicked the back button, the global.asa file would run again and he would still be able to work in the site without logging in! I use windows authentication. Is there any way I could make the user unable to go back to the page without logging in again after clicking the logout link?

Thanks.

if you use a sessionvar to keep track of the users login status, then do Session.Abandon in the page you redirect to, to destroy all session info

I must admit I’m not sure a understand your situation, since I don’t know how you control your session. So I’m not sure if Roelf’s method will work/is necessary. Depends on what you do in your global.asa and how you set and check the session variables.

If a user hits a backbutton(browserbutton) or shift + <--, there's no server-interaction, so the global.asa isn't run. So what do you mean with a back-button (button in your app ?)
For me, everything that has anything to do with acces to a page is seperated completely from the global.asa.
edit: unless controling from which IP the request comes from to avoid denial of access attacks


This is what I do. In my global.asa, I don’t do anything about session-access-control.
I use a login-form and after validating, I set a sort of profile-value in a session variable (value is taken from database). This profile-value (admin = 10, unregistered visitor = 1, …) determines if the user can open a page, and what is displayed on them. (On top of each page, I’ve got a reference to an include for that page-rating) If the only navigate through the app by using the links I provide, they never get an error. If they try to insert an url for a page that’s rated higher then there profile, they get redirected to the loginpage and all there session-variabels are cleared. (I only keep there logintry’s) The session itself stays alive, but they can’t request any page. (when they logout, the session gets abandoned). To prevent them from going back to the pages they visited, I use a response.expires=-1000 so there’s no browser caching serversided (if you don’t do this, there ‘s no big problem since they can only view pages they’ve viewed before and if they hit a link, there request will be denied and they will be redirected to the loginpage. I just include it to avoid privacy leaks on shared computers)

If a user hits a backbutton(browserbutton) or shift + <--, there's no server-interaction, so the global.asa isn't run. So what do you mean with a back-button (button in your app ?)
Right, clicking the browser back button doesn't evoke server response. Sorry I didn't mention my point clearly. After clicking the browser back button, if I click any of the links, I'm still able to work with the pages without having to login again. The problem with my site is that it uses windows authentication (i use windows authentication so that anyone with an organizational id and password could login). All I'm trying to do is if the user clicks the browser back button after logging out and then clicks a link he should either not be allowed to view the page or be prompted to login again.

Hehheh. Still don’t give us the goodies huh :) Have you got a global.asa and what is in the Session_onstart sub?

I’m starting to get the picture, but there remain some lacks. OK. So i suppose you use the AUTH_PASWORD and USER to check if the user has passed HTTP-authentification(but where, in the global.asa?) and if authentication is passed, you redirect to a startpage (in the same page as authentication-check, so probably global.asa). Right ? Or do you just use authentification for the whole HTTP-session and don’t check and process anything when the ASP session starts ? Probably more something like this, so in that case, just add a global.asa, or add a redirect in the sessio_on start sub

Now, what i would do: on this startpage (to which you redirect in the global.asa), set a value for a session-variable. (or put a loginform on this startpage and set the server-variable after validating there user and password) On all the other pages, have a server side include, that checks if that session-variable in set.

If session is terminated (timout or abandon), this session object and all its variables, is destroyed. So if the user then hits back, they will see the pages (unless you prevented browsersided caching with response.expires) but when they click a link, the global.asa will be ran, authentication will be checked and they will be redirected to the startpage.

No ?

Originally posted by raf

(unless you prevented browsersided caching with response.expires)

Why not just do that? Wouldn't that solve the problem all together? If they don't see any pages when they hit back, there isn't any links for them to click on.

depends. caching has its functions ... + what will the user do ? He'll see a "page is expired warning" and that doesn't look professional. also, maybe the idea is to redirect the user to a startpage so the response.expires can best be combined with a simple redirect in the session_on start of the global.asa.