Reputation: 2134
Unable to clear session completely
I am working on an application in ASP.NET with c# and MSSQL DB. I am using a simple logic that if the session variables contain appropriate values then a page should open otherwise it should redirect to the login page. This is the code thats working.
protected void Page_Load(object sender, EventArgs e)
{
if(Session["loggedinloginid"]==null || Session["loggedinpassword"]==null)
Response.Redirect("login.aspx");
con.ConnectionString = ConfigurationManager.ConnectionStrings["familyConnectionString"].ConnectionString;
con.Open();
adp = new SqlDataAdapter("select * from admins where loginid=N'" + Session["loggedinloginid"].ToString() + "' AND password=N'" + Session["loggedinpassword"].ToString() + "'", con);
dt = new DataTable();
adp.Fill(dt);
if (dt.Rows.Count == 0)
Response.Redirect("login.aspx");
LinkButton lb=(LinkButton)(Master.FindControl("LinkButton1"));
lb.Text = "Welcome " + Session["loggedinloginid"].ToString()+"| Log Out |";
lb.Click += new EventHandler(lb_Click);
}
void lb_Click(object sender, EventArgs e)
{
Session.Clear();
Response.RedirectPermanent("WebForm2.aspx");
//throw new NotImplementedException();
}
The problem is that when I log out and clear the session and type the URL of the page in the browser that I want to protect (the page with this code), it opens! Why and how can I avoid this?
Upvotes: 1
Views: 1165
Answers (4)
Reputation: 19365
Your problem is in this line:
lb.Click += new EventHandler(lb_Click);
The code for the Click-EventHandler is never called, because you subscribe to the EventHandler in the OnLoad-Event, but that is too late in the lifecycle. Move the line into the OnInit-Event and your code should work as expected.
You should also think about sanatizing your SQL Queries to prevent SQL injections (I don't know how your login looks like, but based on the code you posted above, it might be vulnerable to SQL injections).
If .net 3.5 or higher is an option for you, I would suggest you have look at simple ORM-Mappers like Linq2SQl or EntityFramework (have a look at Linq2SQL first), which allow you to use LINQ for your queries and (afaik) sanatize your input.
Upvotes: 0
Reputation: 1736
you remove session after that page redirection completed to "WebForm2.aspx". you write the session remove function in that "Webform3.aspx" page. and after redirect to login page. and you check the webconfig file also.
Upvotes: 0
Reputation: 2707
Session.Abandon();
Removes all the objects stored in a Session. If you do not call the Abandon method explicitly, the server removes these objects and destroys the session when the session times out.
View this link for difference between clear,abandon
What is the difference between Session.Abandon() and Session.Clear()
Upvotes: 1
Reputation: 1526
you can use Session.Remove() method;
Session.Remove("session name");
Upvotes: 0
Related Questions
- How to clear out session on log out
- Issue with Session Variables
- Session variable gets cleared without any apparent reason
- Why Session.Clear() - doesn't work?
- Session Funda of destroying a specific session
- Session.Remove("session_variable"); not working?
- C# Clear Session
- How do I remove a value from Session?
- Clear all sessions on application start
- Clearing a session