Hey guys

I have a login page which once the login is successful, the user gets redirected to another page.

The problem is, is that the user is able to hit the back button at the page they got redirected too and so they go back to the login page which prompts them to login again even though they are already logged in.

I'd rather not have this happen but I don't know how to avoid it. If they type in the URL for the login page when at the redirected page after logging in, and hit enter to get there, then they get a message saying they are already logged in, which is what i want to happen if they hit the Back button aswell.

I have added <%response.expires = -1000 %> at the top of the page which works fine if they come back to the login page anyother way other than using the back button.

Anyone got any ideas what i can do, or am i gonna have to put up with it and hope people don't do it?

Thanks

Thatguy

Set a flag.

in the loginscript, you insert something like this right after you validated his username and password and before you redirect, you insert

session("logclear")= 1

On top of your loginscript (the ASP file that processes the loginform) you check for that flag like

if session("logclear") = 1 then
response.redirect ("mainmenu.asp")
else
the rest of your code
end if

Or instead of a redirect, you can print a message and supply a link or so
The session("loginclear") can also be used in other pages to check if the user is logged in (in an includefile at the top of each page)

Thanks Raf

I tried, but unfortunately i still got the same problem.

If they hit the back button, they still get the login form again unless u hit the refresh button.

If there is no way around it, then i guess i will just have to live with it.

Thanks

Thatguy

I haven't tried the printing the link thing. I just noticed it now when i posted my reply.

I will give it a go and see what happens.

thatguy

Unfortunately that doesn't work either.


Is there a way i can disable the browsers back button before redirecting the user to the next page so they can't go back???


Thatguy

the problem is that you cached the loginscript.
First delete the cache (both on the server and on the client) and then try again, to make sure you're not getting a page that was cached before you added the response.expires (you can also check this by adding something, like response.write (Now()) )

But there's no bulletproof way of preventing people from moving back into there history. Even not with cach-control, since they can have incorrect date-time settings or use a browser that ignors te caching instructions.
The only thing you can do is (let ASP) set the meta-tags and use some javescript to automatically forward them on that page (the javascript wil only have an effect if the page is loaded clientsided). Here's some more info on setting the metatags and the history.forward();http://www.codingforums.com/showthread.php?s=&threadid=9897&highlight=caching+back

Posts crossed.
Originally posted by Thatguy2001au
Is there a way i can disable the browsers back button before redirecting the user to the next page so they can't go back???

Not realy. You could open your app in a window without that toolbar, but they'd still have the alt + <-- option, so you would need to disable that to and this requires javascript (which isn't bulletproof since it can be disabled)
+
neither of those is really permitted. It's the clients choice to decide which toolbars should be on his window and which features he can use.

The best thing you can do is the history.forward(); to 'neutralise' the history.back();

How would i write the history.forward() thingy to work with my code???

do i put it in the <head> and call it before i do the response.redirect or something? If so, how would i do that?

thatguy

well, i'm not a javascript expert (i force myself to almost never use or learn it) but it seems to me you can do that, or use the onload event on the body like
<body onload="history.forward(1);">

Here's some more info on all possible alternatives : bottom line --> no bulletproof method so it's up to the client
http://www.4guysfromrolla.com/webtech/111500-1.shtml

but i would still use the flag, since even if they jump back to the loginform, once they post the loginform (if they reenter there data), there's allways serverinteraction, and with that flag, you can skip all the processing and avoid db-interaction etc.. Especially if you do some session-management inside your table, this prevents that you create duplicate session-records and generate errors.

Thanks alot raf, you've been very helpful. I'm now using the Flag idea you gave me.

So like you say, if they do post the login form again, i stop it dead in it's tracks and return a message that they are already logged.

The problem, was, is that I was checking for the flag, but i was ending that IF statement straight away after that without putting my other code within the ELSE option. therefore, once it checked for the flag, it then continued with the rest of the code which i didn't want it to do.

I don't know how i missed that. maybe i just need a break!

Thanks again raf, you gave me more options anyway that might come in handy in the future.

Just one last thing concerning MySQL. at the moment, i have coded a shopping cart to work with sql server. If i wanted to use MySQL instead, would it be just a matter of changing the connection string, or is there other code changes i would have to make??? I know i would have remake my stored procedures into my asp code, but apart from that, should things work the same??? Are there any important code differences that i should look at?

Thatguy.

If i wanted to use MySQL instead, would it be just a matter of changing the connection string, or is there other code changes i would have to make??? I know i would have remake my stored procedures into my asp code, but apart from that, should things work the same??? Are there any important code differences that i should look at?

Well, i asume you have the connectionstring inside a server side include, so you'de need to replace it there (once). You're right about the SP.
The SQL statements could need some changing, depending on what you used. The more standard syntax like select and update etc, is almost completely the same. (Except that MySQL has INSERT INTO ... SELECT ... , where Jet SQL also has SELECT ... INTO ...) the difference are more inside aggregation functions (like TOP etc --> LIMIT is more accurate since using TOP might return more lines then expected, for instance when there are duplicate values) and data-definition and datamaintenance (creating tables, creating dumpfiles, using cascades etc) but it's not hard to learn this SQL-version. A quick search on mysql.com always delivered for me.
You're ASP code stays the same (since the embedded SQL are just stringvalues for ASP). Well, maye you now need to add some ASP to perform all operationd that are now done inside the SP, but that has nothing to do with the db-format.

If you know in advace that there might be more then 1 db-format powering your app, then you need to use only sql-syntaxt that is supported by 'all' versions, or by the db's you mainly target. But this sometimes means you can't use some of the goodies. So you could also have a variable in your include that holds the db-format, and then run another statement depending on the db-format.
Say you have dbformat = "sqlserver" inside your SSI. Then you could have something like this inside your code

select case dbformat
case "sqlserver"
sql="select top 5 salestotal, managerID from sales order by salestotal desc"
case "mysql"
sql="select salestotal, managerID from sales order by salestotal desc limit 5"
end select

rsSales.Open sql, conn

The recordsethandling is then completely the same.
For most querys, you wount need this select case since the syntax is identical.

Thanks for the info. I just wanna get a bit of an understanding of MySQL so i can transport some apps i have which use MS SQL Server and see how MySQL and SQL Server compare. You've given me a good idea of what i need to do and what i need to look at.

I'll give MySQL a go and see what happens. Thanks again, and if I run into any trouble, i'll be sure to post it on here.

Thanks

Thatguy

raf, as great as server-side code is, it's really helpful at times to know javascript, as well. Not only can it make your life easier but it can be impressive at times. Of course, used in conjunction WITH server-side validation, etc. :D

even without javascript, my life is swell :)

my (twisted?) logic is that javascript is only usefull for 'nice to have' features and not for important/'crucial' featrures cause simply 10% or so has javascript disabled.
So for navigation, redirecting, etc i can'"t rely on javascript. And what remains if you use CSS or XML and XSL ?

At the moment, i've only got some history.back(); links in my pages, but i'm all gonnan replace them with HTTP_REFERER whenever possible.


But i'll take your word for it that javascript can come inhandy.