Reputation: 613
Sessions in asp.net
i have a login page so once the user enters the correct details he enters into the home page. Now i want to implement 3 things
once he clicks the button 'log out' he must be redirected to a page saying" logged out successfully " n even if clicks the back button in the browser, he should not be able to access.
if the user leaves the homepage idle for a specific amount of time say 10minutes and then he tries to navigate after 10 mins a msg should display saying "Your Session has been expired login again"
if given the url of homepage he shouldnt be able to access unless logged in. I am not sure about what exactly i need to do and how to do. Plz Help Regards
Indranil Mutsuddy
Upvotes: 1
Views: 511
Answers (3)
Reputation: 12221
1) When the user logs out of the system I would recommend doing a Session.Abandon(). If the user clicks the Back button in the browser he might see the cached version of the old page (this is entirely browser dependant), but he won't be able to do anything anyway.
Disable the caching in your pages and the user shouldn't even see the cached old version :)
A simple way to do this would be to add the following into Global.asax's Application_BeginRequest:
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();
2) In your web.config set the session lifetim to 10 minutes, incremental.. That will do the trick
<system.web>
<authentication mode="Forms">
<forms defaultUrl="~/LoggedIn.aspx" loginUrl="~/Login.aspx" protection="All" path="/" slidingExpiration="true" timeout="10"/>
</authentication>
</system.web>
3) You can do this using authorization rules in web.config. If you want no anonymous users to access your website just enable access only to logged in users like this:
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
If you want to restrict access not to the whole website, but only to some areas (like the MyAccount area, then you can add this instead.. Note: Web.config can have multiple <location> elements!
<location path="MyAccountFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
There's one important note about the location tag. The Path does NOW start with a '/'! So if you want to secure the /MyAccount folder, then your tag will start like this:
<location path="MyAccount" />
Upvotes: 2
Reputation: 187110
Case 1:
When clicked on the log off button clear the Session.
Clicking the back button in the browser might result in fetching the page from the cache. So by cheking Session in the page might not be effective. You can disable caching for the page so that when back button is clicked a new request to the page will be generated.
For pages not to be cached set this
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Case 2:
You can set the default timeout for Session as 10 minutes. See HttpSessionState.Timeout Property
Case 3:
Check Session for null and if found to be null then redirect to a login page.
Upvotes: 0
Reputation: 124804
You should generally use ASP.NET Forms Authentication for this.
When the Log Out button is clicked, call FormsAuthentication.SignOut. This will remove the forms-authentication ticket information from the cookie (or URL if cookieless).
For a timeout, use the timeout attribute in the system.web/authentication/forms element of your web.config. Note that your forms authentication timeout is independent of your Session timeout.
Upvotes: 0