Hi All,

 I have created code on login page's submit button which saves loginStatus in session variable. After successful login, I check on master page codebehind for loginStatus Value.

if (Session["loginStatus"] == null || Session["loginStatus"].ToString().Equals(string.Empty) || !Session["loginStatus"].ToString().Equals("Yes")){

Response.Redirect("Login.aspx");}

This works fine. If i try to open default,aspx without login, It redirercts me to loginpage. I have created Signout link, which redirects to logout page where I am removing session using session.abandon,session.remove etc. and redirect to login page. But If user doesnt close IE after logout, and in address bar writes address of any secure page like default.aspx, The page displays. This problem is with IE only, firefox redirects me to login page. If I close IE and then open it and enter address of any secure page, It redirects me to login page and works fine.

 Please suggest me solution for this.

Regards,

Asif Hameed

Hi Asif Hameed,

*Please refer to my next reply. Sorry for inconvenience*

------------------------------------------------------------------------------------------------

The problem may be casued by session. When the page is closed, the Session hasn't been disposed and when the user opens the page again, the code for detecting Session["loginStatus"] considers that the user has been logged in.

To deal with this issue, I suggest you using JavaScript function, which is fired when page unloads, to call behind code to dispose the session.

Have a try on the test demo below. I have written some comments to it: 

<%@  Language="C#" %>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
    <script type="text/javascript">
    
        //when page is unloading, we find the unload button and click it.
        window.onbeforeunload = function() {
            if (event.clientX > document.body.clientWidth && event.clientY < 0 || event.altKey) {
                document.getElementById("unload").click();
            }
        }
    </script>

    <script runat="server">
        protected void DoUnLoad(object sender, EventArgs e)
        {
            //write some texts to do the test.
            System.IO.File.AppendAllText(Server.MapPath("unLoadTest.txt"), "page has been unload");
        }
    </script>

</head>
<body>
    <form id="form1" runat="server">
    <div>
        <%--you can set the button's display as none to hide it--%>
        <input id="unload" name="unload" runat="server" onserverclick="DoUnLoad" type="button" value="button" />
    </div>
    </form>
</body>
</html>

Session["loginStatus"] = null;

Best Regards
Shengqing Yang

add below code in your logOff.aspx

If Not (Session Is Nothing) Then

End If

its working for me in IE and FireFox.

sparrow37:

But If user doesnt close IE after logout...

Hi,

I am afraid I have misunderstood you before if you meant doesnt close Internet Explorer. Then, the issue is caused by cache..

Add this code to Page_Load event handler of those pages which contain sensitive information: 

Response.AppendHeader("Cache-Control", "no-store");

This will make pages not cached by browser and when the user visit those pages, his session will be always checked. If he has been logged out, he will not see the content of those pages.

By the way, my previous reply handles the situation that users close the page without logging out. If you need it, you can give it a try as well. 

Best Regards,
Shengqing Yang

Hi All-Star,

            Thank you . you solution worked for me :)

Regards,

Asif Hameed

try this

    protected void LoginStatus1_LoggedOut(object sender, EventArgs e)
    {
        FormsAuthentication.SignOut();
        Roles.DeleteCookie();
        Session.Clear();
    }

Good Luck