Hi
   The login I made does not have any mechanism to store the details of the user(cookies).it takes the username/password from the user and then opens the database and then if correct redirects the user to the home page else gives a password error message.now I want to implement a logout which would clear the cache (or page expires) and force the user to re login after pressing the Logout.pls give code

Thankz
praveen

I read the other thread you had regarding this topic and I'd like to help clear things up.

Let us say that you have 3 pages:
- UnprotectedPage.asp
- ProtectedPage.asp
- LoginPage.asp

Unless you actually have code that looks for some kind of user validation (something that says "Yes, there is a user logged in") you can't have protected pages. So any user would be able to see all 3 of those pages.

Now lets assume the login page is the first page a user sees. S/he enters their username and password, you verify this against your database, and if it's ok, you then redirect them to "ProtectedPage.asp". (This is what it sounds like you are doing right now.)

Now there is still no code that asks "is a user logged in?" so the user could very easily go DIRECTLY to ProtectedPage.asp WITHOUT going through the login process because there is no checking mechanism.

[u]You need to create a checking mechanism.</u> You need to save some kind of value in a cookie or session that you can use as your "is a user logged in?" check.

Caching:
You can't use caching for "logout" purposes. All that caching will do for you is determine whether or not that page will be requested again from the server. Even if you set a page to expire immediately, and every single time someone requested that page the server generated it and served it up, unless you have a method to check to see if a user is "logged in" you'll never be able to block access to that page.

You must save a login status somewhere.

Here is a very easy example to get you started on this:

After you have validated a user by checking in the database for their username and password, set their username to a session value.

Session("LoggedInUser") = strUserName

Then on the pages you need to protect, you simply need to check that value...

'Check for logged in user.
If Session("LoggedInUser") = "" Then
    Response.Redirect("LoginPage.asp")
End If

Then you can create a simple Logout.asp page that contains this code:

Session("LoggedInUser") = ""

Alternatively, you can call Session.Abandon() which will clear the whole session object.

I hope this has helped to clear this up.

Peter
------------------------------------------------------
Work smarter, not harder.

hi
   your solution is right. but if the address is written in the adress bar the it will generate a error message that session variable is not set.
  so plz convert it to boolean type and then put the whole expression in the if clause.
  I think this should work.

bye
viral

I have often test for a session variable at the beginning of a page. Knowing full well that in some cases that session variable will not be set my if statement will work exactly as I expect. I have never seen a case where I get an error saying that a session variable is not set. In ASP, when you ask for a session variable that is not set you simply get back an empty string. Usually that's as good as saying it's not set, but it doesn't generate an error.

Peter
------------------------------------------------------
Work smarter, not harder.

I am trying to accomplish the same security in my application. I am using Session variables to hold the User information and as a check mechanism on the Page_onload event of every protected page. This is working fine. I have tested navigating directly to the protected page before logging in and that is working great.

This is my problem...I have a menu that includes a 'Logout' menu item. When the user clicks 'Logout', the page is redirected to another page, Logout.aspx. On this page, I perform the Session.Abandon() and redirect to Login.aspx. This clears all my session variables fine. But, if I then click the back button in the browser, the last page before clicking 'Logout' is rendered again. I believe this is due to caching, but I have not been able to find a way around it. I do not want to disable cache for my pages because it slows down the performance considerably. I just want to find a way to clear the cache ONLY when the user clicks the 'Logout' menu item. Can anyone help with this?

Thanks,
Angela

Hi Angela,

If you are talking about ASP.NET, this is a classic ASP forum. You could better post that on a .net forum here.

Cheers!

_________________________
- Vijay G
Strive for Perfection

Hi,
I have a problem related to something like this.
I authenticate user with the database table and store the username in
Session("UserName")=txtUserName
say username is Chris so after authentication my new page says welcome Kris,

and my logout sub is

public sub btnLogout_click(...)
 Session.Abandon()
Response.redirect("http://localhost..../login.aspx")
end sub

My problem is : after I logged in I copy the url and click logout i get redirected to the login screen. Here if I paste the url I copied in the address bar and enter I am able to see the page again which says Welcome Kris,

This shud not happen once I logout, unless I login by typing username/password I shud not see that page. So, Is my session not being killed or cleared? wat am I doin wrong here?

Thanks in advance for ur time and help



-Kris
.Net Developer

justKris

Have another read of Planoie's post. The answer to your question and you solution lyes here:
--------------------------
Then on the pages you need to protect, you simply need to check that value...

'Check for logged in user.
If Session("LoggedInUser") = "" Then
    Response.Redirect("LoginPage.asp")
End If
--------------------------------

;;;This shud not happen once I logout, unless I login by typing username/password I shud not see that page
Unless you are checking yes it will

-You must check for the value in Session("LoggedInUser") on EVERY page you want protected. BTW - if there is no value in this session var or it does not exist you will not get an error as viralshah suggests.

Additionaly - you will get better .net soultions in the .net area of the forum. I was told .net solves state, session and application level issues? I bet theres a better .net specific answer

Wind is your friend
Matt