Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Mar 2005
    Location
    greater manchester, uk
    Posts
    65
    Thanks
    3
    Thanked 0 Times in 0 Posts

    managing security

    hello!

    ok, here's my current situation:


    1. i have an .asp that acts as a simple login page containing a form with two fields (login and password) and a submit button.

    when the user supplies details, the data is checked against a database.



    2. assuming that the user's details are correct, i then redirect them (using response.redirect() to a seperate .asp that acts as my main application.

    this .asp contains a form with a logout button.

    when the user clicks the logout button, they are redirected back to the login .asp



    what i want to do, but can't quite seem to achieve, is to use the logout button as a security measure that will not only return the user to the login .asp, but will also prevent them from reaccessing the main .asp simply by clicking the back button on their browser.

    i'd like to do this without having to resort to any client-side scripting, putting everything in a single .asp or messing around with the user's browser in any way. i'd rather not even rely on cookies, being that a user could simply disable them and not be able to use my application.

    is there any means to make the main application .asp timeout somehow, or would it be more secure to keep checking the user's credentials against the database?

    am i going about this the wrong way altogether?


    this is really doing my head in, so it would be just ace if you could help me out.


    thanks!


    PS - i'm using vbScript; just in case it makes any difference

  • #2
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    866
    Thanks
    7
    Thanked 30 Times in 29 Posts
    When your users log in to a secure section of the website, you should specify that the page has expired sometime in the past and as such, the browser will not cache it. Basically, when the user clicks on the back button, the browser will call the server for a fresh copy...in which case, the server will redirect them to the login page.

    Note: you should ensure that every secure page (page that requires login) should check that the user has already logged in, before outputing any contents to the user's browser.

    Here is an example of using plain html to inform the browser that the page has already expired.

    Code:
    <meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />
    <meta http-equiv="PRAGMA" content="NO-CACHE" />
    <meta name="GOOGLEBOT" content="NOARCHIVE" />
    <meta http-equiv="EXPIRES" content="Mon, 26 Jul 1997 05:00:00 GMT" />
    Here is an example of using ASP to inform the browser the page has already expired

    Code:
    <%
    Response.AddHeader "Last-modified","Mon, 01 Sep 1997 01:03:33 GMT"
    %>
    Good luck.
    Ess

  • #3
    New Coder
    Join Date
    Mar 2005
    Location
    greater manchester, uk
    Posts
    65
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Smile thanks!

    thanks, ess!


    i'll give that a try.

  • #4
    Senior Coder
    Join Date
    Nov 2002
    Location
    North-East, UK
    Posts
    1,265
    Thanks
    0
    Thanked 0 Times in 0 Posts
    more info
    http://www.learnasp.com/freebook/asp/cachenomore.aspx

    Also, I assume that you are using sessions for your login?
    Make sure you clear them correctly
    http://www.w3schools.com/asp/met_contents_remove.asp

  • #5
    New Coder
    Join Date
    Mar 2005
    Location
    greater manchester, uk
    Posts
    65
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Thumbs up thanks!

    cheers!

    glad i checked back here; that info should come in handy for something i've just started work on.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •