Hi.



I'm using the Global.Asa file to prevent users from accessing a URL that 

was added to Favorites. The Global.Asa "Session_OnStart" event redirects 

to a login page if that's the case.



I've only now just realised that the user could go to a URL that is not 

the login page, from "History". 



For instance, the user logs into the system and a menu page is then 

presented to them. They then close the browser, open up another browser 

session, click on History and select the menu page that was presented to 

them in the previous session, effectively bypassing the login.



Since I've been instructed to not use session variables, how can I prevent 

this? Somebody who does not have permission to use the system may gain 

access this way.



Any suggestions would be greatly appreciated.



Rita

You need some kind of state-management system to keep track of who's logged

in, and who isn't. You could use session variables, you could use in-memory

cookies, you could use a database to track this. There are many options.



Once you've decided on which option to use, you just need to check (at the

top of each page) whether the user is logged in. If not, then redirect them

to the login page. Optionally, you might also pass across the page that they

tried to access, so that after they login, they can be transparently

returned to where they wanted to get to originally.



Something like:



Call subVerifyPermissions(intLoggedIn)



Sub subVerifyPermissions( _

    ByVal SecurityToken _

    )



    If Not SecurityToken then

        Response.Redirect("/login.asp?URL=" &

Server.URLEncode(Request.ServerVariables("Script_Name"))

    End If



End Sub



The above code assumes you are using True/False to indicate whether they are

logged in or not. You coudl use 1/0, or whatever you wanted.



Cheers

Ken









~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----- Original Message -----

From: <rg1@h...>

To: "ASP Web HowTo" <asp_web_howto@p...>

Sent: Monday, August 20, 2001 11:26 PM

Subject: [asp_web_howto] URL From History





: Hi.

:

: I'm using the Global.Asa file to prevent users from accessing a URL that

: was added to Favorites. The Global.Asa "Session_OnStart" event redirects

: to a login page if that's the case.

:

: I've only now just realised that the user could go to a URL that is not

: the login page, from "History".

:

: For instance, the user logs into the system and a menu page is then

: presented to them. They then close the browser, open up another browser

: session, click on History and select the menu page that was presented to

: them in the previous session, effectively bypassing the login.

:

: Since I've been instructed to not use session variables, how can I prevent

: this? Somebody who does not have permission to use the system may gain

: access this way.

:

: Any suggestions would be greatly appreciated.

:

: Rita

: ---

: ** FREE DOWNLOAD - DETECT FLASH, CONNECTION SPEED, SCREEN SIZE & MORE **

: BrowserHawk 5.0 is here! This component makes it easy to build

cross-browser

: friendly web pages. Easily detect plug-ins, screen and browser window

size,

: *disabled* cookies/JavaScript/ActiveX, DHTML, CSS, XML, SSL key sizes, and

: DNS lookups. Detects hundreds of browsers, search engines and

WAP/i-Mode/PDA

: devices with 100+ properties. Even provides BROWSER STATISTICS and reports

: not available anywhere else. Click now for a live demo and your FREE

trial!!

: http://www.cyscape.com/free.asp?q=atdy-223




$subst('Email.Unsub')

Rita,



I can't see why someone would restrict you from using session vars.

Regardless, try expiring the page when it loads.  This will keep it from

being stored in the History folder.



First line of code:

<% Response.ExpiresAbsolute = 0 %>



Roger



-----Original Message-----

From: rg1@h... [mailto:rg1@h...]

Sent: Monday, August 20, 2001 4:27 PM

To: ASP Web HowTo

Subject: [asp_web_howto] URL From History





Hi.



I'm using the Global.Asa file to prevent users from accessing a URL that 

was added to Favorites. The Global.Asa "Session_OnStart" event redirects 

to a login page if that's the case.



I've only now just realised that the user could go to a URL that is not 

the login page, from "History". 



For instance, the user logs into the system and a menu page is then 

presented to them. They then close the browser, open up another browser 

session, click on History and select the menu page that was presented to 

them in the previous session, effectively bypassing the login.



Since I've been instructed to not use session variables, how can I prevent 

this? Somebody who does not have permission to use the system may gain 

access this way.



Any suggestions would be greatly appreciated.



Rita

Wonderful. Thanks!



Regarding restricting usage of session variables, I think it has to do with

a user may not have cookies enabled, scalability, etc. 







-----Original Message-----

From: Roger Balliger [mailto:Roger@i...]

Sent: Monday, August 20, 2001 3:52 PM

To: ASP Web HowTo

Subject: [asp_web_howto] RE: URL From History





Rita,



I can't see why someone would restrict you from using session vars.

Regardless, try expiring the page when it loads.  This will keep it from

being stored in the History folder.



First line of code:

<% Response.ExpiresAbsolute = 0 %>



Roger



-----Original Message-----

From: rg1@h... [mailto:rg1@h...]

Sent: Monday, August 20, 2001 4:27 PM

To: ASP Web HowTo

Subject: [asp_web_howto] URL From History





Hi.



I'm using the Global.Asa file to prevent users from accessing a URL that 

was added to Favorites. The Global.Asa "Session_OnStart" event redirects 

to a login page if that's the case.



I've only now just realised that the user could go to a URL that is not 

the login page, from "History". 



For instance, the user logs into the system and a menu page is then 

presented to them. They then close the browser, open up another browser 

session, click on History and select the menu page that was presented to 

them in the previous session, effectively bypassing the login.



Since I've been instructed to not use session variables, how can I prevent 

this? Somebody who does not have permission to use the system may gain 

access this way.



Any suggestions would be greatly appreciated.



Rita

Hi Ken.



Thanks for your response. I'm going to first try to not use session variable

by use of the following code which should

keep the page from being stored in the History folder (Courtesy of Roger):



First line of code:

<% Response.ExpiresAbsolute = 0 %>



By the way, loved your link to http://www.adopenstatic.com/personal/help.asp

regarding "Being Self-Sufficient: The Great Debate".



Rita





-----Original Message-----

From: Ken Schaefer [mailto:ken@a...]

Sent: Monday, August 20, 2001 6:05 PM

To: ASP Web HowTo

Subject: [asp_web_howto] Re: URL From History





You need some kind of state-management system to keep track of who's logged

in, and who isn't. You could use session variables, you could use in-memory

cookies, you could use a database to track this. There are many options.



Once you've decided on which option to use, you just need to check (at the

top of each page) whether the user is logged in. If not, then redirect them

to the login page. Optionally, you might also pass across the page that they

tried to access, so that after they login, they can be transparently

returned to where they wanted to get to originally.



Something like:



Call subVerifyPermissions(intLoggedIn)



Sub subVerifyPermissions( _

    ByVal SecurityToken _

    )



    If Not SecurityToken then

        Response.Redirect("/login.asp?URL=" &

Server.URLEncode(Request.ServerVariables("Script_Name"))

    End If



End Sub



The above code assumes you are using True/False to indicate whether they are

logged in or not. You coudl use 1/0, or whatever you wanted.



Cheers

Ken









~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----- Original Message -----

From: <rg1@h...>

To: "ASP Web HowTo" <asp_web_howto@p...>

Sent: Monday, August 20, 2001 11:26 PM

Subject: [asp_web_howto] URL From History





: Hi.

:

: I'm using the Global.Asa file to prevent users from accessing a URL that

: was added to Favorites. The Global.Asa "Session_OnStart" event redirects

: to a login page if that's the case.

:

: I've only now just realised that the user could go to a URL that is not

: the login page, from "History".

:

: For instance, the user logs into the system and a menu page is then

: presented to them. They then close the browser, open up another browser

: session, click on History and select the menu page that was presented to

: them in the previous session, effectively bypassing the login.

:

: Since I've been instructed to not use session variables, how can I prevent

: this? Somebody who does not have permission to use the system may gain

: access this way.

:

: Any suggestions would be greatly appreciated.

:

: Rita

To resolve this issue, I tried adding "<% Response.ExpiresAbsolute = 0 %>"

as the first line in a couple of my asp pages - a menu page and a display 

page. I logged in, got the menu page, selected the display page and then 

closed the browser. I then opened it again, selected the menu page from 

History and was correctly redirected to the login page. 



However, if I login, get the menu page, get the display page and then go 

back to the menu page, after closing and re-opening the browser, if I 

select the menu page from History, I get the menu page!



Is there something else I need to do or should I just go now and beat my 

manager over the head so I can use a session variable (:-P)?



Rita



> Hi.

> 

> I'm using the Global.Asa file to prevent users from accessing a URL that 

> was added to Favorites. The Global.Asa "Session_OnStart" event redirects 

> to a login page if that's the case.

> 

> I've only now just realised that the user could go to a URL that is not 

> the login page, from "History". 

> 

> For instance, the user logs into the system and a menu page is then 

> presented to them. They then close the browser, open up another browser 

> session, click on History and select the menu page that was presented to 

> them in the previous session, effectively bypassing the login.

> 

> Since I've been instructed to not use session variables, how can I 

prevent 

> this? Somebody who does not have permission to use the system may gain 

> access this way.

> 

> Any suggestions would be greatly appreciated.

> 

> Rita

Check this KB article



HOWTO: Prevent Caching in Internet Explorer

ID: Q234067





- George





>>> rg1@h... 08/21/01 05:05PM >>>

To resolve this issue, I tried adding "<% Response.ExpiresAbsolute = 0 %>"

as the first line in a couple of my asp pages - a menu page and a display

page. I logged in, got the menu page, selected the display page and then

closed the browser. I then opened it again, selected the menu page from

History and was correctly redirected to the login page.



However, if I login, get the menu page, get the display page and then go

back to the menu page, after closing and re-opening the browser, if I

select the menu page from History, I get the menu page!



Is there something else I need to do or should I just go now and beat my

manager over the head so I can use a session variable (:-P)?



Rita



> Hi.

>

> I'm using the Global.Asa file to prevent users from accessing a URL that

> was added to Favorites. The Global.Asa "Session_OnStart" event redirects

> to a login page if that's the case.

>

> I've only now just realised that the user could go to a URL that is not

> the login page, from "History".

>

> For instance, the user logs into the system and a menu page is then

> presented to them. They then close the browser, open up another browser

> session, click on History and select the menu page that was presented to

> them in the previous session, effectively bypassing the login.

>

> Since I've been instructed to not use session variables, how can prevent

> this? Somebody who does not have permission to use the system may gain

> access this way.

>

> Any suggestions would be greatly appreciated.

>

> Rita

Thanks George, I'll add the Response commands as described and test it out. 



There is a way I could Redirect from History without Session variables. I'm

using hidden fields and I just need to add 3 lines of code to check if one

of the hidden fields is empty. If empty, then I can redirect to the Login

page. The pain here is that I'd have to add it to every asp page that the

menu calls.



Rita



-----Original Message-----

From: George Draper [mailto:gdraper@c...]

Sent: Tuesday, August 21, 2001 9:30 AM

To: ASP Web HowTo

Subject: [asp_web_howto] Re: URL From History





Check this KB article



HOWTO: Prevent Caching in Internet Explorer

ID: Q234067 





- George

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: <rg1@h...>

Subject: [asp_web_howto] Re: URL From History





: To resolve this issue, I tried adding "<% Response.ExpiresAbsolute = 0 %>"

: as the first line in a couple of my asp pages - a menu page and a display

: page. I logged in, got the menu page, selected the display page and then

: closed the browser. I then opened it again, selected the menu page from

: History and was correctly redirected to the login page.

:

: However, if I login, get the menu page, get the display page and then go

: back to the menu page, after closing and re-opening the browser, if I

: select the menu page from History, I get the menu page!



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Rita,



As I said before - you need to implement some kind of session state

management. This doesn't necessarily involve using session variables - but

it means that the server has some way of knowing who has logged in and who

hasn't.



Now, you do need to expire your pages (or prevent them caching in the first

place). This means that the browser will go back to the server to get a

fresh copy each time. But what you then need to do is have the server do

some kind of check to make sure that the user is actually logged in. This

could be done by having a cookie that is set after the user is logged in, or

keeping a list of active session in a database, or by using session

variables. If the cookie (etc) isn't present, you redirect the user to the

login page using Response.Redirect()



Cheers

Ken

Thanks Ken for the detailed explanation. Much appreciated!



-----Original Message-----

From: Ken Schaefer [mailto:ken@a...]

Sent: Wednesday, August 22, 2001 12:26 AM

To: ASP Web HowTo

Subject: [asp_web_howto] Re: URL From History





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: <rg1@h...>

Subject: [asp_web_howto] Re: URL From History





: To resolve this issue, I tried adding "<% Response.ExpiresAbsolute = 0 %>"

: as the first line in a couple of my asp pages - a menu page and a display

: page. I logged in, got the menu page, selected the display page and then

: closed the browser. I then opened it again, selected the menu page from

: History and was correctly redirected to the login page.

:

: However, if I login, get the menu page, get the display page and then go

: back to the menu page, after closing and re-opening the browser, if I

: select the menu page from History, I get the menu page!



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Rita,



As I said before - you need to implement some kind of session state

management. This doesn't necessarily involve using session variables - but

it means that the server has some way of knowing who has logged in and who

hasn't.



Now, you do need to expire your pages (or prevent them caching in the first

place). This means that the browser will go back to the server to get a

fresh copy each time. But what you then need to do is have the server do

some kind of check to make sure that the user is actually logged in. This

could be done by having a cookie that is set after the user is logged in, or

keeping a list of active session in a database, or by using session

variables. If the cookie (etc) isn't present, you redirect the user to the

login page using Response.Redirect()



Cheers

Ken