4
Answers

Security

kalpa vachhani

kalpa vachhani
14y
2.3k
1
I am building a asp.net website and creating a session when user login stores UID  and checks each time when user tries to access othe pages whether user had loggedin by checking the whether session is set is it the best way to maintain guest not access pages of my website without login
Answers (4)
0
Andrew Fenster

Andrew Fenster

NA 2.2k 1.5m 14y
What you're talking about now is a different problem.  It has nothing to do with the Session data, and there are NO perfect fixes.  The problem is that the browser caches the page it's displaying.  It does this to improve performance.  Unfortunately, there is no way to force the browser to delete its cache.  You don't have that kind of control over the client machine.  So even after the user logs out, your page is still cached in the browser. 

There are a few things you can do.  Most important, you can set your pages to tell the browser not to cache.  That is, you can't tell the browser to delete its cache, but you can tell it not to cache your pages in the first place.  The problem with this is that your pages will be much slower because the browser isn't caching.  Still, if you are making something where security is extremely important, that's what you have to do.

There are other tricks which are less reliable.  For example, when a user logs out, I sometimes redirect them to a page which has Javascript.  The Javascript instantly redirects the user to a third page.  Now, when they hit the back button, they end up on the Javascript page again.  In some browsers (not all), the Javascript will execute again, redirecting them again.  So they wind up in the same place even when they hit the back button.  It doesn't work with all browsers.  It doesn't prevent the user from using their history to go back two screens instead of one.  Still, it has some limited benefit.

There are hundreds of articles discussing what to do in this situation.  Unfortunately, other than preventing caching, there are no really good solutions. 
0
kalpa vachhani

kalpa vachhani

NA 34 44.3k 14y
Hi u r right but when I goes back in the browser it still gives Users data inspite of I have ended the session till I refresh the page
0
Purushottam Rathore

Purushottam Rathore

20 8.9k 6.6m 14y
hi kalpa

Suppose you have stored the userid in session like

Session["UserId"]="userId";

Now you have to check the session is not null to access the page like as follows-

protected void LinkButtonGoToMyAccount_Click(object sender, EventArgs e)
{
 if (!object.Equals(Session["UserId"], null))
 {
 Response.Redirect("MyAccount.aspx");
 }
 else
 {
 Response.Redirect("Login.aspx");
 }
}
0
Andrew Fenster

Andrew Fenster

NA 2.2k 1.5m 14y
It sounds like you should be using ASP.Net forms security.  With forms security, you can have some pages which are accessible to all and other pages which require a login.  If you are not logged in and you try to view a page which requires login, you are automatically redirected to the login page.  After logging in, you are sent back to the page you were trying to view.

Forms security is easy to do, but it's too complicated to explain in a forum answer.  You'll need to read up on it.  It's the easiest way to accomplish what you're trying to accomplish.
Next Recommended Forum