Last post Jan 18, 2019 02:47 AM by Nan Yu
Jan 17, 2019 11:04 AM|demoninside9|LINK
Below is my code for login page.
protected void btnLogin_Click(object sender, EventArgs e)
Session["user_name"] = txtUserName.Text.Trim();
WebMsgBox.Show("Invalid user name or password !");
And below is my webconfig code
<forms defaultUrl="~/Dashboard.aspx" loginUrl="~/Login.aspx" slidingExpiration="true" timeout="2880">
and on logout button I have a a href link which redirect to the login page. On this login page's page load event I am clearing the session like below
protected void Page_Load(object sender, EventArgs e)
Session["user_name"] = null;
But still after logout if user use the back button of browser and goes back to some pages (without login), he/she can access all pages, where as it should go to login page as session has expired.
Why it is happening?
Jan 17, 2019 01:00 PM|mgebhard|LINK
Why it is happening?
IMHO, storing the same information is two different state management frameworks is not a good design approach because it requires synchronizing the two frameworks. I recommend dropping the Session logic as it redundant.
I believe, the main issue is browser caching. You can easily verify on your own by opening dev tools (F12) and viewing the network trace. Click the back button and you should see the page is loaded from cache not the server.
The ASP.NET docs cover cache and how to disable caching. Go through the docs. Keep in mind, this is a pretty common scenario that been around a long long time. So there is a lot of information out there on the Internet.
Jan 18, 2019 02:47 AM|Nan Yu|LINK
You can try clear the Authentication Cookie and Session Cookie to logout user in authentication :
// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");
HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Reference : https://stackoverflow.com/questions/412300/formsauthentication-signout-does-not-log-the-user-out