开发者

ASP.Net Logout not working as expected

开发者 https://www.devze.com 2023-03-25 13:31 出处:网络
I know this has been asked and answered many times previously, believe me I\'ve been through all of the posts looking for a solution before asking again.

I know this has been asked and answered many times previously, believe me I've been through all of the posts looking for a solution before asking again.

If a user logs into a page, takes a copy of the URL, logs out then pastes the URL back into the browser, they can get access to the page they had previously visited very briefly before the browser redirects to the login page once more. During this brief window, if they are fast enough with the mouse and can click on a button or other control, they are somehow logged back into the site, no questions asked.

I've tried including the following code suggestion from another thread on the subject into each Page_Load event to avoid caching but no success.

    private void ExpirePageCache()
    {
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetExpires(DateTime.Now - new TimeSpan(1, 0, 0));
        Response.Cache.SetLastModified(DateTime.Now);
        Response.Cache.SetAllowResponseInBrowserHistory(false);
    }

Code from logout.aspx is as follows:

    protected void Page_Load(object sender, EventArgs e开发者_Python百科)
    {
        FormsAuthentication.SignOut();
        HttpContext.Current.Session.Clear();
        HttpContext.Current.Session.Abandon();
        Response.Redirect("~/Account/Login.aspx");
    }

Should I be using Server.Transfer() instead of Response.Redirect()?

I've read somewhere that I'm not allowed to clear the browser history programatically so am a bit stuck. Anyone have any clues please?


Yeah, that line of code is already included in the Page_Load event of the logout.aspx page. It's the first line of code that gets executed...


I suspect something else is up.

When you call response.redirect, none of the page content generated is sent to the client. ASP uses buffering, so as you generate your page, it's buffered until you get to the end, at which point that buffer is sent to the client. This allows you to make changes right up till the last moment, eg sending a redirect response. So that's not your issue.

Are you using output caching or setting the forms auth ticket to persistent? If the browser has a cached copy of the content, it will show that, rather than hit the server (as caching is designed to do). The minute you hit the server though, if the cookie is invalid, then the server should redirect you to somewhere to get a new ticket. if it's not doing that, then somehow it's finding a valid ticket.

You could use Fiddler to monitor the traffic. You can mimic a new browser session by sending request by hand using Fiddler and removing the session & ticket cookies.

Simon

0

精彩评论

暂无评论...
验证码 换一张
取 消