Jared, Thanks for the reply on that, could you flesh it out a little more please.
Steve
OK, say you have an online shopping site with sign-in page, catalogue pages, product detail pages, etc. Set them up kind of like frames within the main site, except put the individual pages in include files instead of inner frames. The basic page layout would be a large select case or if then else statement which would give the browser the different pages he could visit. The first case should be if session("userID") = "" and the user should be referred to the log in page. The trickiest part would be to do all of the navigation by form submission sothat the data that determines which page you visit is never stored by the user (if you ever put info in a querystring, the browser will save this info as a different URL you visited, and that is what you are trying to avoid. If all of the info a previous user sent to the page went through forms with hidden inputs no info is saved by the browser except which page he visited, and if they are all the same ASP page the browser only registers the fact that it visited the one page multiple times). So after logging in I show the catalogue page, each item hyperlink (going to a product detail page) could actually set off a javascript function that enters this data in a hidden form field and submits the form. Hidden form fields aren't even filled in by auto-complete browser functions, so new users would never see those.
The drawbacks to this approach are 1- you will have very long, complicated code to do what is essentially easy stuff. 2- you would have to do it from scratch, this would be long and tedious to do for an existing site. 3- When a user goes to submit an order he may have to go to a form and see auto-completed information anyway, so all your effort may be for naught.
On the other hand, you could do very well by just checking for a session("userID") at the top of every page, and if this is missing, send the user back to the log in page. If the session("userID") is present, include a session identifier as part of the querystring in every single href attribute. (<a href="productDetailPage.asp?productID=43x1&session =546271">Lace-up blue sneakers</a>) This way the browser will interpret each link as never-before visited even if you never use the session ID part of the querystring in your page. And if a user is not logged in, even if he sees a product ID in a querystring, if he tries to visit it in the cache he will be sent back to the log in page.
I'm starting to ramble, but I think this is a better option for most applications. Does this make sense? Would this work for you?
Jared
14
