how to stop backward after logout in asp?

[SBUH]

Hello, I have logout page in asp for session abandon. But after user logout and press back button, the page can still go one page back. How should I modify the code so that the user cannot go backward or if he go backward, there will be warning page to say that the page are expired like those official mailbox.

Thanks very much in advance and wait for your reply!

[lostinbeta]

Although I have no idea how to do this (I know nothing about ASP) what you would probably need to is set a cookie that determines if they are logged in or not, and then check that cookie when the page is loaded. If they are logged in, they can view, else they get an error message.

[λ]

That would be quite insecure... you could get to the page by simply changing the cookies' value to 1.

[lostinbeta]

More secure than allowing to go back no matter what

And it depends on how it is done as well, you don't just have to use true of false, or if ASP has the ability to delete a cookie you can check if the cookie even exists or not.

[λ]

Originally posted by lostinbeta
More secure than allowing to go back no matter what

And it depends on how it is done as well, you don't just have to use true of false, or if ASP has the ability to delete a cookie you can check if the cookie even exists or not.

LOL

In PHP you can use session_destroy to destroy a session... I don't know about the equivalent in ASP tho... you'll have to wait for abzoid

[prstudio]

Ok there are two methods that I like.

One set how long the page exists in cache. This setting will allow the page to refresh on each access.

<%Response.Expires=-1%>

Now if you have written a cookie to say they are logged in:
<%
Response.Cookies("login")="true"
%>

then you want to write over that cookie in your logout script:

<%
Response.Cookies("login")="false"
%>

Then of course on each page that is a "secure location" you want to put a script that checks that 'login' cookie to see if they are logged in...

<% Dim logincheck

logincheck = Request.Cookies("login")

if logincheck <> "true"
then Response.Redirect "http://www.blah.com/loginerror.asp"
end if
%>

That is one way of doing a login script.

However it is not the most secure.

There are sessions(very secure) then there are ways of combining database entries and cookies with random number generator scripts that triple check everything.

Hope that helps, if you need anything more. Let me know.

[prstudio]

What happens in one of my favorite scripts...(cause its hard and complex lol)

Is this.

When you access my site.

You try and login.

If you are a user you enter your name and password.

The script checks the database for that password and user combo.

If it exists.

A random number generator generates a number and stores it in one field of the database. It then stores the same number in the cookie value on your machine.

Now each page after that, I have a script check the value in the database with the value in your cookie. If they match you may proceed. If they do not then no access.

Now when the person logs-off... a second random number is generated and stored in one of the locations; making it to where the numbers no longer match.

That way the next person that comes along on the computer cannot just "edit" the cookies to access it.

The random number is around 30 characters long.

Again, if the cookie number doesn't match the database number; then no access.

Keys here are to protect the database. Most server companies have the database in a separate non-public area of the server.

There are other ways to do this. But that above way is just fun and extremely secure.

[abzoid]

If I were going to do this, and I have on more than a few web sites, I'd use a simple session variable instead of messing with client side cookies.

When the user logs in set session("user") = {username from database lookup}.
When the user logs out set session("user") = "".
On every secure page check to see if session("user") = "" and if it does then redirect to login page.

Simple yet quite secure.

[reverendflash]

or, you could always just nest a whole bunch of [edit]frames[/edit], so the browser freezes, causing a restart, therefore clearing the history...



Rev

[prstudio]

rofl yeah with about three java lake applets in each table set

[reverendflash]

oops, not tables, I meant frames...set up a frameset with 2 frames. Inside each of those 2 frames, 2 frames open up. Inside each of those 4 frames, 2 frames open up...

etc... until crash...

you can even use a random color script on the html pg to make it real purty before it shuts down...

[Yeldarb]

roflmao, do you have an example? lol

[abzoid]

You just have one or both of the frames load the main frameset page as one of it's content pages. For example:

Save the following code as frameset.html

PHP Code:

<html>
<head>
<title>Crasher</title>
</head>

<frameset cols="50%,50%">
  <frame src="frameset.html">
  <frame src="frameset.html">
</frameset>

</html> 


We used to put pages like this as index.html in directories where no one had any business trying to see a directory listing. Mwuahahahaha

[reverendflash]

I have to confess...

abzoid's the guy who told me about this... something like 5 years ago...

Rev

[Yeldarb]

that is hilarious lol
too bad i'm too lazy to put that in an html page and see if it works... also too lazy to do the random background

theres also a way to crash ie with only five lines of code:

PHP Code:

<html>
<form>
<input type crash>
</form>
</html>