View Full Version : managing security

01-20-2007, 12:16 AM

ok, here's my current situation:

1. i have an .asp that acts as a simple login page containing a form with two fields (login and password) and a submit button.

when the user supplies details, the data is checked against a database.

2. assuming that the user's details are correct, i then redirect them (using response.redirect() to a seperate .asp that acts as my main application.

this .asp contains a form with a logout button.

when the user clicks the logout button, they are redirected back to the login .asp

what i want to do, but can't quite seem to achieve, is to use the logout button as a security measure that will not only return the user to the login .asp, but will also prevent them from reaccessing the main .asp simply by clicking the back button on their browser.

i'd like to do this without having to resort to any client-side scripting, putting everything in a single .asp or messing around with the user's browser in any way. i'd rather not even rely on cookies, being that a user could simply disable them and not be able to use my application.

is there any means to make the main application .asp timeout somehow, or would it be more secure to keep checking the user's credentials against the database?

am i going about this the wrong way altogether?

this is really doing my head in, so it would be just ace if you could help me out.

thanks! :)

PS - i'm using vbScript; just in case it makes any difference

01-20-2007, 03:43 AM
When your users log in to a secure section of the website, you should specify that the page has expired sometime in the past and as such, the browser will not cache it. Basically, when the user clicks on the back button, the browser will call the server for a fresh copy...in which case, the server will redirect them to the login page.

Note: you should ensure that every secure page (page that requires login) should check that the user has already logged in, before outputing any contents to the user's browser.

Here is an example of using plain html to inform the browser that the page has already expired.

<meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />
<meta http-equiv="PRAGMA" content="NO-CACHE" />
<meta name="GOOGLEBOT" content="NOARCHIVE" />
<meta http-equiv="EXPIRES" content="Mon, 26 Jul 1997 05:00:00 GMT" />

Here is an example of using ASP to inform the browser the page has already expired

Response.AddHeader "Last-modified","Mon, 01 Sep 1997 01:03:33 GMT"

Good luck.

01-20-2007, 12:14 PM
thanks, ess!

i'll give that a try. :)

01-23-2007, 02:50 PM
more info

Also, I assume that you are using sessions for your login?
Make sure you clear them correctly

01-30-2007, 10:52 PM

glad i checked back here; that info should come in handy for something i've just started work on. :D