Security

Question

I am building a asp.net website and creating a session when user login stores UID and checks each time when user tries to access othe pages whether user had loggedin by checking the whether session is set is it the best way to maintain guest not access pages of my website without login

Andrew Fenster · Answer

What you're talking about now is a different problem. It has nothing to do with the Session data and there are NO perfect fixes. The problem is that the browser caches the page it's displaying. It does this to improve performance. Unfortunately there is no way to force the browser to delete its cache. You don't have that kind of control over the client machine. So even after the user logs out your page is still cached in the browser. There are a few things you can do. Most important you can set your pages to tell the browser not to cache. That is you can't tell the browser to delete its cache but you can tell it not to cache your pages in the first place. The problem with this is that your pages will be much slower because the browser isn't caching. Still if you are making something where security is extremely important that's what you have to do. There are other tricks which are less reliable. For example when a user logs out I sometimes redirect them to a page which has Javascript. The Javascript instantly redirects the user to a third page. Now when they hit the back button they end up on the Javascript page again. In some browsers (not all) the Javascript will execute again redirecting them again. So they wind up in the same place even when they hit the back button. It doesn't work with all browsers. It doesn't prevent the user from using their history to go back two screens instead of one. Still it has some limited benefit. There are hundreds of articles discussing what to do in this situation. Unfortunately other than preventing caching there are no really good solutions.

kalpa vachhani · Answer

Hi u r right but when I goes back in the browser it still gives Users data inspite of I have ended the session till I refresh the page

Purushottam Rathore · Answer

hi kalpa Suppose you have stored the userid in session like Session[ UserId ]=userId; Now you have to check the session is not null to access the page like as follows- protected void LinkButtonGoToMyAccount_Click( object sender EventArgs e) { if (!object.Equals(Session[UserId] null)) { Response.Redirect(MyAccount.aspx); } else { Response.Redirect(Login.aspx); } }

Andrew Fenster · Answer

It sounds like you should be using ASP.Net forms security. With forms security you can have some pages which are accessible to all and other pages which require a login. If you are not logged in and you try to view a page which requires login you are automatically redirected to the login page. After logging in you are sent back to the page you were trying to view. Forms security is easy to do but it's too complicated to explain in a forum answer. You'll need to read up on it. It's the easiest way to accomplish what you're trying to accomplish.