Perennial problem.
You could try to disable the Back button (e.g. by deleting the browser
history). Disadvantages are that it annoys users and is, anyway, only
partially successful.
Another strategy is to maintain an application state object on the server.
If the user uses the Back button, it will behave as you say, but when an
event does occur, you can check the consistency of the state object and if
it is not consistent, redirect the user. This means that you need to check
consistency on just about every postback, so it's expensive and still not
very friendly.
In your case, it seems to me that a better solution is to use forms
authentication and then to use attributes on your Pages to raise a security
challenge each time the page is accessed. This will also allow you to use
role-based security as well, should you need it. You can also put
attributes on any methods you don't want to run unless the user is logged
in. None of this means that your users will not be able to use the back
button, but it does mean that they will be returned to the login page at the
first security challenge.
When users logout, however they do that (e.g. submitting a final form,
clicking a Sign Out button or whatever), you will need to make sure you use
FormsAuthentication.SignOut() and Session.Abandon(). You should also set
your Session to time out after a reasonable interval - depending on your
application's requirements.
HTH
Peter
"joe" <jo*@discussions.microsoft.comwrote in message
news:3A**********************************@microsof t.com...
Logout question
I use a session to store the login information, say Session("Login") =
success
and use page_load to test the session("Login") success or not
say If Session("Login") <success then
response.redirect("LoginPage.aspx")
But when i use logout to set Session("Login") = "" then redirect to
LoginPage,
the user click BACK button of the browser, the asp.net will not run the
page_load event
, so i can't check the Session("Login"), what can do this?
