How to create a safe logout?

Question

Hi All I developed a login page and added a link button(for logout) in other pages. The code that I used behind logout is just Response.Redirect(Login.aspx) So when I click logout it redirects me to the Login page but when I click back button in the browser it goes into the application without the need of login. :-( Can anyone please help me how to do a safe logout in a web appliction so that even when I click back button it should not be entered into the application again without a proper login? I've uploaded the code that I used in my login page. Please refer that. I haven't used FormsAuthentication. Please help me to resove this in vb.net. Imports System.Data.SqlClient Partial Class Default2 Inherits System.Web.UI.Page Protected Sub Login1_Authenticate(ByVal sender As Object ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate Dim authentication As Boolean = False authentication = Sitelevelauthentication(Login1.UserName Login1.Password) e.Authenticated = authentication If authentication = True Then Response.Redirect(Default.aspx) End If End Sub Private Function Sitelevelauthentication(ByVal Username As String ByVal Password As String) As Boolean Dim boolretval As Boolean Dim con As New SqlConnection Dim Dr As SqlDataReader Dim sql As String con.ConnectionString = Data Source=;Initial Catalog=;User ID=;Password= sql = SELECT * FROM Login con.Open() Dim cmd As New SqlCommand(sql con) Dr = cmd.ExecuteReader() While Dr.Read() If Username = Dr(Username).ToString And Password = Dr(Password) Then boolretval = True End If Dr.Close() Return boolretval End While End Function End Class

Andrew Fenster · Answer

Ranjani Why aren't you using ASP.Net Forms security? It's easier and much more secure than trying to roll your own security. You don't have to check session on every page. Also if security is really an issue you simply can't do it on the client. The user can disable or modify the Javascript. If you're relying on Javascript for security you probably aren't secure. Your content is still cached in the browser and can be viewed in a variety of ways. If I wanted to bypass your proposed security I would just turn off Javascript in my browser. Even if I didn't know to do that your Javascript won't work in many browsers and neither will your meta tag. It won't work because some browsers don't execute the Javascript when you arrive at the page by hitting the back button. Try it in a few browsers and you'll see. It also doesn't prevent the user from looking in the temporary internet files folder. The only way to prevent a determined user from viewing old pages in the browser is to prevent the browser from caching. What you should do: (1) Use Forms security. You can read about it online. (2) Prevent caching. The easiest way to do this is to add this to each page in the OnLoad( ): Response.Cache.SetCacheability(HttpCacheability.NoCache); Response.Cache.SetAllowResponseInBrowserHistory(false);

Andrew Fenster · Answer

I just wanted to explain why you're having problems. Your browser caches the web pages it views. This makes everything faster. When a page reloads the browser only downloads and updates the items that have changes. The rest comes from the browser's cache. The problem with this is that even after the user has logged out the browser still has the pages cached including the ViewState. So you can hit the back button or history and view the old pages. You can also look in the temporary internet files folder and see things. The ONLY way to prevent this is to tell the browser not to cache. That's what Muralidharan told you to do. The result is that your pages will display slower (because the browser isn't caching). But it's the ONLY way to be secure. Any other hacks (e.g. disabling the back button) are NOT SECURE . They can all be bypassed easily. Javascript can be disabled. You can use the history records instead of the back button. You can look in the temporary internet files folder. The ONLY way to be secure is to make sure the browser doesn't have sensitive data cached. If it's cached in the browser people can get at it. Disabling the back button provides almost no security. You should call Session.Abandon and FormsAuthentication.SignOut as a normal part of logging out but it doesn't fix your problem. The guy who gave you the right answer is Muralidharan.

Jonathas Sucupira · Answer

Why don't you use a stored procedure to verify the login credentials? By the code I see you could have problems with SQL injection. Not to mention you are not encryption the password. For a secure and easy implementation I would use ASP Memberships.

Andrew Fenster · Answer

Suthish I didn't know that. That would be interesting to know whether it works in Firefox. THe more important part however is the first line which blocks caching. As long as that one is working you should be OK. I've spent a lot of time working on banking and insurance applications where all of this really matters. It's a real problem. I think I'm going to write an article!

Suthish Nair · Answer

SetAllowResponseInBrowserHistory Am not sure i read somewhere about above method which does not supported in browser Fire Fox.

Ran · Answer

Hi All Thank you for your responses. Finally I've come up with a solution. It will be useful for others who tried like me. 1. Create a session variable like this: session.Add(Login Yes) 2. check it in other pages: If Not session(Login) = Yes Then Response.Redirect(LoginPage.aspx) End If 3. In the logout page add this: session.Abandon() Also it's better to use this: the above one is to redirect to a particular page after some time and the below script will prevent submission of previous page when back button in the browser is clicked. javascript:window.history.forward(1); in your code Thanks Ranjani.

Andrew Fenster · Answer

I'm sorry Suthish. I hope you weren't offended. Actually disabling the back button might deter the casual non-technical user. It won't stop someone who is determined. I've done another Javascript trick as well. When the user logs out you send them to logoutpage1. This page has Javascript which immediately redirects to logoutpage2. The user never even sees logoutpage1 because he is immediately redirected. Now if the user hits the back button he goes back to logoutpage1 which SOMETIMES redirects again to logoutpage2. It doesn't work in all browsers. It provides a little bit of security but it won't stop someone with even a little bit of knowledge. The only real fix is to prevent caching.

Suthish Nair · Answer

Yes Andrew has a valid point and is good to updating the thread.. Disabling cache is the foolproof solution. I just provided another solution.

Suthish Nair · Answer

couple of ways you can do this.. Clearing all sessions.. Session.Clear() Session.RemoveAll() Session.Abandon() Response.Redirect(Login.aspx) Disabling history/back button hit.. Protected Overloads Overrides Sub OnPreRender(ByVal e As EventArgs) MyBase.OnPreRender(e) Dim strDisAbleBackButton As String strDisAbleBackButton =   & vbLf strDisAbleBackButton += window.history.forward(1); & vbLf strDisAbleBackButton += vbLf &   ClientScript.RegisterClientScriptBlock(Me.Page.[GetType]() clientScript strDisAbleBackButton) End Sub

Felipe Ramos · Answer

If you are going to have the same check on every page create a base page where you have that code and inherit from that page. BasePage : Page { } and any form you created should inherit from that BasePage that way your code is in only one place.

Muralidharan Deenathayalan · Answer

All the pages in your application.

Ran · Answer

I've uploaded my code..

Ran · Answer

Hi Thank you for your quick response. In which page do you suggest me to use the code?

Gowtham manju · Answer

U can solve this by using 1)Passing Query String responce.redirect(ss.aspx?+txt); 2)Passing Cookies http cookies cname=new http cookies(name); cname.value=txt_text; responce.cookies.add(cname); responce.redirect(ss.aspx); in pages lbl_text.text=request.cookies[name].value; 3)Creating sessions session[name]=textboxname; lbl_txt.text=session[name].tostring(); 4) Application Variables application[name]=txt.text; lbl.text=application[name].tostring(); 5)Http context public string getname {get{return txt_text;}} server.transfer(ss.aspx); u can follow the above ways for secure logout try it

Muralidharan Deenathayalan · Answer

Try this also. http://www.codeguru.com/csharp/.net/net_debugging/debugging/article.php/c12891 protected void Page_Load(object sender EventArgs e) { Response.Cache.SetCacheability(HttpCacheability.NoCache); Response.Cache.SetExpires(Now.AddSeconds(-1)); Response.Cache.SetNoStore(); Response.AppendHeader(Pragma no-cache); if (Page.IsPostBack){ if (isPageExpired()){ Response.Redirect(expired.htm); } else { Session(TimeStamp) = Now.ToString; ViewState(TimeStamp) = Now.ToString; } } //........... //your own function here } private boolean isPageExpired() { if (Session(TimeStamp) == null || ViewState(TimeStamp) == null) return false; else if (Session(TimeStamp) == ViewState(TimeStamp)) return true; else return false; }

Muralidharan Deenathayalan · Answer

There is no attached. In the log-out button what you have writtern? Have you cleared the session/cookies? How you're maintaining the cookies/session ?

Felipe Ramos · Answer

Ranjani I am going to assume that you are using a Session to keep any user login. Below you will find a typical Logout event protected void Logout() { try { Page.Session.Abandon(); FormsAuthentication.SignOut(); Response.RedirectPermanent(~/Default.aspx false); } catch (Exception ex) { Response.Write(ex.Message); } } Session.Abandon() you will always need. The second line you will only need for Forms Authentication and the last is optional to redirect wherever which it sound like you are doing already.