Hello Everyone!

I have a "restricted page" (for users that made their login correctly) where I put a form with a button "logout". When the user press it, I redirect "him" to the (not restricted) homepage but... if he uses his "back" browser-possibility or if he copy/paste the restricted-page URL he will be able to enter the restricted area again, without need to login again. (I don´t like this.)

I know that the Session.Abandon() could be used but if I do (the way I did) , I cannot send this user (while in the restricted page) to the "Change Password/Login" link/page included/associated because before getting "there" his session is already lost...

Well, I have already tried to study the following link:

http://p2p.wrox.com/topic.asp?TOPIC_ID=19463

and it is, in fact, VERY related to all that. I am afraid it is too unclear/difficult to me. I could not implement those suggestions.

Could anyone give me advice and/or other references?

Thanks in advance!
fskilnik

I am not sure I understand. If you have a complete separate Logout page that does nothing more than kill the session and redirect, you should be fine.

Why would a user not be able to go to Login page again after a call to logout? Logout isn't protected, is it?

Can you provide more details? Maybe show some code?

Imar---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

Hi there, Imar! :)

Thanks for answering to my posting in this forum, too!

Here we are, again!

> If you have a complete separate Logout page that does nothing more than kill the session and redirect, you should be fine.

I didn´t create something like that. (Shame on me!) When the user is in a "report his-eyes-only page" (restricted) , he is able to press the logout button. Pressing it, I redirect him to the homepage, not to the login one. (I was killing the session INSIDE the "report his-eyes-only page" , right before that and... that was very silly because of the "Change Login/Password" link mentioned.)

Your idea is perfect! I should redirect him to an intermediary page that has the only purpose of killing the session and redirecting him to the homepage!!!

I hope you got the picture. Anyway, you solved my problem, I am sure!

I will do as you suggested. Thank you very much for your help!

Best Regards,
Fábio.

Yeah, exactly. A separate page with no UI is probably the best thing to do:

1. Your protected page (or maybe on the menu through an include) 2. Logout.asp should do the trick.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

Thanks, Imar!

It all went well, accordingly to your instructions.

The only small detail missing (that I would like to implement) is the following:

After the user logouts and after he is redirected to the login page (or to the homepage) , he is still able to "go back" to his protected page, simply clicking in the "Back" button on the Internet Explorer! I would like to avoid that. (The ideal situation, it seems to me, would be that "when he logouts, the only possible way to see the protected page again is doing another login".)

To solve that, I tried to use

<% onload="javascript:history.go(1)" %>

as suggested in another posting related to all these matters. It didn´t work!

Could you help me on that? Thanks a lot!

Regards,
Fábio.

onload is an HTML attribute that fires JavaScript, so it should be applied to the body:

<body onload="history.go(1);">

However, you could use try this at the top of the page: This forces (usually) the browser to rerequest the page, resulting in a redirect to the login page (that is, if your protection scheme works OK).

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

I´m back, Imar.

Guess what...

<% Response.Expires = -1 %> didn´t work but...

<body onload="history.go(1);"> worked marvellously!! :D

It is, once more, a great pleasure to thank you very much indeed for your continuous support!

All the best,
Fábio.