Disable access to pages after logout (Session.Abandon) in C#/ASP.NET_问答_开发者

Disable access to pages after logout (Session.Abandon) in C#/ASP.NET

开发者 https://www.devze.com 2023-01-05 16:05 出处：网络

I\'m interested in disallowing the following after logout: -- no back button -- no direct access to page开发者_如何学JAVAs via URL - for example: if the user logs out then they should not be allowed

相关专题：asp.net

I'm interested in disallowing the following after logout:

-- no back button

-- no direct access to page开发者_如何学JAVAs via URL - for example: if the user logs out then they should not be allowed to see a cached page using some URL (e.g., replacing the URL with a valid URL in the site http://mysite.com/Gotothispage.aspx)

I've seen similar questions like this one: How to disable the back button in browser when user logout in asp.net c#

I know that I can set no cache on the master page, but then I lose the ability to use the back button when the user is actually logged in. Am I correct in this understanding?

A page is either cacheable or it isn't, the browser has no idea if you are logged in or not. You can't somehow retrospectively expire objects already cached by the browser.

Then I lose the ability to use the back button when the user is actually logged in. Am I correct in this understanding?

Not entirely - you'll have problems using the back button on pages that are submitted using POST, but not GET.

A simple example would be to imagine an ASP.NET page with a paged Gridview - the user clicks pages 1,2,3,4,5, etc to navigate the grid.

Using POST, every time the user clicks another page in the grid, it will cause a postback to the same page. A page expired error will appear if the user clicks back after doing this.

Using GET, every time the user clicks another page in the grid, it will redirect them to the same page using a querystring (ie, Grid.aspx?Page=2). In this case, the user can click back, and it will take them to the previous page without any problems.

Pages should already be disabled after logging out, if your security is setup correctly.

If you have a master page or basepage class specifically for users that are logged in, you should check if they have a sessionId that you set when they logged in.

If they don't, redirect them to another page.

Users may see a cached version of a page, but can't do anything to it.

In my basepage class for members, i check if they are logged in on the OnInit event:

protected override void OnInit(EventArgs e)
{
    base.OnInit(e);

    if (!IsLoggedIn)
    {
        Response.Redirect("default.aspx");
    }
}

Edit:

What some sites do is..after you log the person off, they redirect you to a temporary purgatory page that says it is logging you off. This purgatory page will have caching turned off, and has a meta-refresh tag that takes you to your destination page.

So when the user clicks on the back button, it takes them to the purgatory page which then directs them right back to where they were.

Gmail does this, but sometimes it's so fast you can't tell.