user Logout

user Logout

Old forum URL: forums.lhotka.net/forums/t/1403.aspx

yh_ink posted on Thursday, October 05, 2006

I would like to know the best way to implement logout.In my logout.aspx i clear all the session variables.but when i click my browser back button i can view the pages.when i try to click anyhting with in those it takes to default.but my question is why does back button takes me to the last viewed page.

 

Is there a way to handle it.???

ajj3085 replied on Thursday, October 05, 2006

The best you can do is add various no cache directives to each page.  The user can click back because the page is cached locally on the client's workstation.

yh_ink replied on Thursday, October 05, 2006

if i use no cache then users will not have a ability to go back.Any one have any more views on this.Is there a way to remove the cache data of all pages at one particular point.

figuerres replied on Thursday, October 05, 2006

yh_ink:

I would like to know the best way to implement logout.In my logout.aspx i clear all the session variables.but when i click my browser back button i can view the pages.when i try to click anyhting with in those it takes to default.but my question is why does back button takes me to the last viewed page.

 

Is there a way to handle it.???

 

are you doing a clear or a Session.Abandon() ??

also your logout page should (IMHO) re-dir the user to the /default.aspx or /default.html page

I am not 100% sure but I think if you do an abandon and toss them to a defualt page that you will be in good shape.  make sure that the app requires a login and the default does not.

session.clear just kills the session vars. Abandon invalidates the session.

and as you note even if they go back they get prompted for a logon.

remember:  the client can request a page, we can not force to much.... just make sure the server does the "right thing" with the request.

I've seen devs spend way to much time trying to hack that back button in apps!

ajj3085 replied on Friday, October 06, 2006

figuerres:
are you doing a clear or a Session.Abandon() ??


This won't clear the cache, and the browser will load the page to the cache.

The only option to prevent back button clicking is to add nocache directives.  You can't have it both ways; either you add the nocache, whcih means the user loses back all together, or you leave it as is, and the user can 'back' to pages after logout.

You have no control over the client; technically the nocache is a best effort, since browsers don't even have to honor such directives.

yh_ink replied on Friday, October 06, 2006

ok i agree with you.But how does the big sites like yahoo,hotmail etc handle this.I noticed that after logout.no matter how much i try to click back it directs to the login page in these sites.Just curious to know what they do???

How do they handle this???Any ideas please let me know

Brian Criswell replied on Friday, October 06, 2006

I am by no means a web developer, but could you not just remove the principal from session?  Then when each page loads, you could check at the start of your page load for a custom principal in session and redirect to the login page if no principal was found?  Would this work?

yh_ink replied on Friday, October 06, 2006

when a browser back button is clicked it does not come to the server instead gets the page from its own cache.once it comes to the server it will work fine.what i want to know is how to handle back button.

For example now login in to this csla forums and hit logout.then click browser back button.the page viewed will be displayed.click anything with in that it will take to login page.

do the same login in to some site like yahoo.u can find the difference

 

 

 

 

Copyright (c) Marimer LLC