Forms Authentication No Cache AND avoiding Web Page Has Expired Ms

Hello ch************* ***********@dis cu...icros oft.com,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo
cI have a site which I secure with forms authentication. When the
cuser's sign on and hit one of the secure pages, I have this line in
cmy code to ensure that the browser does not cache the page; and
csomeone cannot navigate back to an cached image of the page in theory
cafter the user has signed off.
c>
cResponse.Cache .SetCacheabilit y(HttpCacheabil ity.NoCache);
c>
cThis works all right, except when the user decides to use the
cbrowser's back
cbutton to navigate between a menu page and a web page inside the
csecure forms
cauthentication directory; the page they are going back to while
cthey're
clogged in in the secure directory gets expired and they get the Web
cPage Has
cExpired Msg.
cWhile they are signed in and in the secure directory I would like
cthem to be
cable to go back and forth to the area freely; but I want to destoy
cthe cache
cof the pages they visited upon logout or session expiration. Is
cthere a way
cto do this? Or to force the browser to reload a page completely when
cit's
cexpired?

This is done via a asp login status control-which is a link; when clicked it
fires off the onloggingout event, which calls these two methods:

Session.RemoveA ll();
Session.Abandon ();

There's also the session timeout.

"Michael Nemtsev [MVP]" wrote:

Hello ch************* ***********@dis cu...icros oft.com,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo
cI have a site which I secure with forms authentication. When the
cuser's sign on and hit one of the secure pages, I have this line in
cmy code to ensure that the browser does not cache the page; and
csomeone cannot navigate back to an cached image of the page in theory
cafter the user has signed off.
c>
cResponse.Cache .SetCacheabilit y(HttpCacheabil ity.NoCache);
c>
cThis works all right, except when the user decides to use the
cbrowser's back
cbutton to navigate between a menu page and a web page inside the
csecure forms
cauthentication directory; the page they are going back to while
cthey're
clogged in in the secure directory gets expired and they get the Web
cPage Has
cExpired Msg.
cWhile they are signed in and in the secure directory I would like
cthem to be
cable to go back and forth to the area freely; but I want to destoy
cthe cache
cof the pages they visited upon logout or session expiration. Is
cthere a way
cto do this? Or to force the browser to reload a page completely when
cit's
cexpired?

Hi,

Based on my understanding, what you want to do is use
"Response.Cache .SetCacheabilit y(HttpCacheabil ity.NoCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache .SetCacheabilit y
HttpCacheabilit y.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsof t.com.

=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

>Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has

Expire

>thread-index: Acj/IUoHJ1WAnWAoRSW kKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700

>
This is done via a asp login status control-which is a link; when clicked

it

>fires off the onloggingout event, which calls these two methods:

Session.Remove All();
Session.Abando n();

There's also the session timeout.

"Michael Nemtsev [MVP]" wrote:

>Hello ch************* ***********@dis cu...icros oft.com,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during

logout/expiration?!

>>
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and

we

>miss it, but that it is too low and we reach it" (c) Michelangelo

Steven,

Thank you for your response.

I have two issues out of this one central issue.

1.) The users complaining that they can't use the browser's back button to
go back to one of these secure pages without seeing "Web Page Has Expired,"
and having to use a specific Back button that I've put on the pages in the
application, which does a response.redire ct to a page and does NOT give them
this message. They want to be able to use the browser's back button and have
the page reload itself. Without getting prompted for a reload, or seeing
some error page in lieu of the real page they're trying to get to.

2.) I don't want the forms authentication pages to be available in cache
after the user has timed out or has logged off, so that some other user using
the same PC can come along and view the "secure" page later without even
logging into the system and have the proper authentication for role.

So it sounds like from your last post this might be difficult to do. Are
there any solutions?

"Steven Cheng [MSFT]" wrote:

Hi,

Based on my understanding, what you want to do is use
"Response.Cache .SetCacheabilit y(HttpCacheabil ity.NoCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache .SetCacheabilit y
HttpCacheabilit y.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsof t.com.

=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has

Expire

thread-index: Acj/IUoHJ1WAnWAoRSW kKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700

This is done via a asp login status control-which is a link; when clicked

it

fires off the onloggingout event, which calls these two methods:

Session.RemoveA ll();
Session.Abandon ();

There's also the session timeout.

"Michael Nemtsev [MVP]" wrote:

Hello ch************* ***********@dis cu...icros oft.com,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during

logout/expiration?!

>
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and

we

miss it, but that it is too low and we reach it" (c) Michelangelo

Thanks for your reply,

Yes, for the 1) one you mentioned, I'm afraid that's the case. the user has
to revisit the page if the original has got expired. That's the safe
strategy for that case.

Anyway, for expiring a page, we could only determine whether it should be
always un-cached on client-side, but not dynamically cache it or invalidate
its cache on client-side(depend on whether the user is logon or not).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsof t.com.

=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

>From: =?Utf-8?B?Y2hlY2tyYWl zZXJAY29tbXVuaX R5Lm5vc3BhbQ==? =

<ch************ ************@di scussions.micro soft.com>

>Subject: Re: Forms Authentication No Cache AND avoiding Web Page Has Expire
Date: Wed, 27 Aug 2008 10:16:10 -0700

>
Steven,

Thank you for your response.

I have two issues out of this one central issue.

1.) The users complaining that they can't use the browser's back button

to

>go back to one of these secure pages without seeing "Web Page Has

Expired,"

>and having to use a specific Back button that I've put on the pages in the
application, which does a response.redire ct to a page and does NOT give

them

>this message. They want to be able to use the browser's back button and

have

>the page reload itself. Without getting prompted for a reload, or seeing
some error page in lieu of the real page they're trying to get to.

2.) I don't want the forms authentication pages to be available in cache
after the user has timed out or has logged off, so that some other user

using

>the same PC can come along and view the "secure" page later without even
logging into the system and have the proper authentication for role.

So it sounds like from your last post this might be difficult to do. Are
there any solutions?

"Steven Cheng [MSFT]" wrote:

>Hi,

Based on my understanding, what you want to do is use
"Response.Cach e.SetCacheabili ty(HttpCacheabi lity.NoCache);" to prevent

some

>pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base

web

>application. That's because the "Response.Cache .SetCacheabilit y
HttpCacheabili ty.NoCache);" just set the http cache header when the page

is

>flush out. Thus, if you originally enable cache for that page(when the

user

>is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by

the

>client browser since then. IMO, if security is the top priority, the

best

>approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

M