Security

Re: Problem Logging out using LoginStatus Control or FormsAuthentication.SignOut()

anshivank — Wed, 24 Jun 2009 09:44:48 GMT

yes this is a good solution to back button problem...but what i have found out is that even if we write the middle line of the code you have given i.e. Response.Cache.SetCacheability(HttpCacheability.NoCache);

even then it will work. My question is.. what is the need of writing extra code i.e. first and the last line of your code.

Thanx in advance

shivank

Re: Problem Logging out using LoginStatus Control or FormsAuthentication.SignOut()

klpatil — Mon, 08 Jun 2009 17:33:31 GMT

yippee!!! Congrats Man!!

Re: Problem Logging out using LoginStatus Control or FormsAuthentication.SignOut()

miniGweek — Mon, 08 Jun 2009 14:42:56 GMT

Hello Kiran ,

My Problem is solved ! Thank you so much for guiding me in the right direction.

I used a master page , and included the code you mentioned in the Page_Load() . And the rest of the pages I derived from the master page , and its working like a charm.

Now , neither the back button or Manually typing in the url takes me those page , they redirect to me to login page as it should.

Thanks and Regards

- Rahul

Re: Problem Logging out using LoginStatus Control or FormsAuthentication.SignOut()

klpatil — Mon, 08 Jun 2009 09:47:47 GMT

Hi,

Thanks for the nice words!!

Sorry, i have updated the forums link and i am eagerly waiting for your reply..

Re: Problem Logging out using LoginStatus Control or FormsAuthentication.SignOut()

miniGweek — Mon, 08 Jun 2009 08:41:11 GMT

Hello Kiran ,

Your input is much appreciated. Thanks a lot for explaining the problem , and giving me the code project link. Though the forums.asp.net link seems dead. Anyways , I will try out your suggestion and come back.

Have a good day .

Regards

- Rahul

Re: Problem Logging out using LoginStatus Control or FormsAuthentication.SignOut()

klpatil — Mon, 08 Jun 2009 02:52:21 GMT

Hi Dear,

Sorry for inconveniences caused to you for this problem..it is because of Client side caching..And i hope that you are clear with how all the things work in background means forumauthentication and all that..if not give me a shout will be glad to help you..alrighty let's come to the point:

you can try this to put in your pages: Page_Load - which you don't want to be cached by client side:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

//NOTE: Rather than adding to all pages..i suggest you you to create one BasePage which dervice from Page Class and all your pages should derive from this BasePage and the above code you can put it in your BasePage's Page_Load...hooh it is Oops "Reusability" :)

You can refer more links here :

http://www.codeproject.com/KB/aspnet/NoCaching.aspx

http://forums.asp.net/p/1422862/3161876.aspx

We refer this problem as a "Back Button problem".

Keep me posted on the same if it works or not :)

Programming is Fun!!!

Problem Logging out using LoginStatus Control or FormsAuthentication.SignOut()

miniGweek — Sun, 07 Jun 2009 22:56:47 GMT

Hello there fellas ...

I seem to have run into a problem , and no amount of Google Trolling or forum digging at many places seem to get me a solution. Really feels like crap Thus my desperate attempt at some form of help from you people here ..

Now that I have expressed my frustration, anger and what not , I will get on with the Whats actually making my life difficult.

------------------------------------end of rant------------------------------

I am trying to implement security for an already existing website. I am using ASP.NET along with Visual Studio 2005 for the purpose. After going through books like :

Apress.Pro.ASP.NET.2.0.in.C.Sharp.2005
Sams.ASP.NET.3.5.Unleashed
For.Dummies.ASP.NET.2.0.All.In.One.Desk.Reference.For.Dummies

I thought I had pretty good grasp on what is and what nots of Authentication and Authorization using ASP.NET . Apparently not ! :cryinganime:

I am using Forms Authentication and Credentials Store in Web Config file to store the username and password. Following is how the authentication and authorization of my web config file looks like :-

<authentication mode="Forms">
      <forms loginUrl="~/Default.aspx" protection="All" timeout="10">
        <credentials passwordFormat="SHA1">
          <user name="minigweek" password="849B563ED0CFA086B0C33D2772E26E098903A3F3"/>
          <user name="kenshin" password="3A1CC647FFFCD2D717F03B4005A71395BD17731E" />
        </credentials>
      </forms>
    </authentication>
    <authorization>
      <deny users="?"/>
      <allow users="*"/>
    </authorization>

Which should basically allow any logged in user to browse any page and deny access to anonymous user.

Using C# here , so my Default.aspx has a login control , code for which is placed in Default.aspx.cs , as done by default by Visual Studio , and the login button raises an event "Authenticate"which calls the function "Login1_Authenticate1" which has the following code :-

protected void Login1_Authenticate1(object sender, AuthenticateEventArgs e)
    {
        Page.Validate();
        if (!Page.IsValid) return;
        if (FormsAuthentication.Authenticate(Login1.UserName,Login1.Password))
        {
            FormsAuthentication.RedirectFromLoginPage(Login1.UserName, false);
          
        }
        else
        {
            // User name and password are not correct
            Login1.FailureText = "Invalid username or password!";
        }
    }

This should take care of authenticating a valid user.

Then there's the logout page .
Which has 3 controls.
1.Loginname.
2.Loginstatus.
3.Logoutbutton.

The Loginname control allows me to see who is logged in.
The LoginStatus Control shows me whether use is logged in , and shows a url with "Log out" link. If I click on that , its supposed to log me out.
The Login Button when clicked does the following :

protected void Button1_Click(object sender, EventArgs e)
    {

        FormsAuthentication.SignOut();
        FormsAuthentication.RedirectToLoginPage();
    }

hah ! Either of the loginstatus or the loginbutton should do the job of logging out the user and redirecting me to login page. Which it does. nice.

But here in lies a problem.

My Site has now 4 pages.

Login.aspx , Logout.aspx , Welcome.aspx and SeeItems.aspx.

When I manually type in the url to any of the site for the first time , i am redirected to Login page , as it should and all is fine. Now if I log in , I am taken to the page from where I was redirected to login page. neat eh ?

I once visit Welcome.aspx , SeeItems.aspx and then Logout.aspx , where I click either on Loginstatus control or the Logout button. I am redirected back to Login Page ! Bravo ! Which is all good , but !!! If now I manually type in the url to Welcome or Seeitems page I am still able to see these [pages !! how come ??

I noticed , if i hit refresh now , i am taken back to login page . applicable to both the pages. This is odd isn't it ?? If I am logged out ( which is true because immediately after logging out I am unable to visit the logout page anymore !!) , why can I still see those welcome and seeitems pages ? Its bugging the hell out of me and any help would be appreciated in resolving this

Thanks much in advance