I have a site which I secure with forms authentication. When the user's
sign on and hit one of the secure pages, I have this line in my code to
ensure that the browser does not cache the page; and someone cannot navigate
back to an cached image of the page in theory after the user has signed off.
Response.Cache.SetCacheability(HttpCacheability.No Cache);
This works all right, except when the user decides to use the browser's back
button to navigate between a menu page and a web page inside the secure forms
authentication directory; the page they are going back to while they're
logged in in the secure directory gets expired and they get the Web Page Has
Expired Msg.
While they are signed in and in the secure directory I would like them to be
able to go back and forth to the area freely; but I want to destoy the cache
of the pages they visited upon logout or session expiration. Is there a way
to do this? Or to force the browser to reload a page completely when it's
expired?
5  6765 
Hello ch************************@discussions.microsoft.c om,
How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour
"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo
cI have a site which I secure with forms authentication. When the
cuser's sign on and hit one of the secure pages, I have this line in
cmy code to ensure that the browser does not cache the page; and
csomeone cannot navigate back to an cached image of the page in theory
cafter the user has signed off.
c>
cResponse.Cache.SetCacheability(HttpCacheability.N oCache);
c>
cThis works all right, except when the user decides to use the
cbrowser's back
cbutton to navigate between a menu page and a web page inside the
csecure forms
cauthentication directory; the page they are going back to while
cthey're
clogged in in the secure directory gets expired and they get the Web
cPage Has
cExpired Msg.
cWhile they are signed in and in the secure directory I would like
cthem to be
cable to go back and forth to the area freely; but I want to destoy
cthe cache
cof the pages they visited upon logout or session expiration. Is
cthere a way
cto do this? Or to force the browser to reload a page completely when
cit's
cexpired?
This is done via a asp login status control-which is a link; when clicked it
fires off the onloggingout event, which calls these two methods:
Session.RemoveAll();
Session.Abandon();
There's also the session timeout.
"Michael Nemtsev [MVP]" wrote:
Hello ch************************@discussions.microsoft.c om,
How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour
"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo
cI have a site which I secure with forms authentication. When the
cuser's sign on and hit one of the secure pages, I have this line in
cmy code to ensure that the browser does not cache the page; and
csomeone cannot navigate back to an cached image of the page in theory
cafter the user has signed off.
c>
cResponse.Cache.SetCacheability(HttpCacheability.N oCache);
c>
cThis works all right, except when the user decides to use the
cbrowser's back
cbutton to navigate between a menu page and a web page inside the
csecure forms
cauthentication directory; the page they are going back to while
cthey're
clogged in in the secure directory gets expired and they get the Web
cPage Has
cExpired Msg.
cWhile they are signed in and in the secure directory I would like
cthem to be
cable to go back and forth to the area freely; but I want to destoy
cthe cache
cof the pages they visited upon logout or session expiration. Is
cthere a way
cto do this? Or to force the browser to reload a page completely when
cit's
cexpired?
Hi,
Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability.N oCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?
If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at: ms****@microsoft.com.
==================================================
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subs...#notifications.
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has
Expire
>thread-index: Acj/IUoHJ1WAnWAoRSWkKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700
>
This is done via a asp login status control-which is a link; when clicked
it
>fires off the onloggingout event, which calls these two methods:
Session.RemoveAll();
Session.Abandon();
There's also the session timeout.
"Michael Nemtsev [MVP]" wrote:
>Hello ch************************@discussions.microsoft.c om,
How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during
logout/expiration?!
>>
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour
"The greatest danger for most of us is not that our aim is too high and
we
>miss it, but that it is too low and we reach it" (c) Michelangelo
Steven,
Thank you for your response.
I have two issues out of this one central issue.
1.) The users complaining that they can't use the browser's back button to
go back to one of these secure pages without seeing "Web Page Has Expired,"
and having to use a specific Back button that I've put on the pages in the
application, which does a response.redirect to a page and does NOT give them
this message. They want to be able to use the browser's back button and have
the page reload itself. Without getting prompted for a reload, or seeing
some error page in lieu of the real page they're trying to get to.
2.) I don't want the forms authentication pages to be available in cache
after the user has timed out or has logged off, so that some other user using
the same PC can come along and view the "secure" page later without even
logging into the system and have the proper authentication for role.
So it sounds like from your last post this might be difficult to do. Are
there any solutions?
"Steven Cheng [MSFT]" wrote:
Hi,
Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability.N oCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?
If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has
Expire
thread-index: Acj/IUoHJ1WAnWAoRSWkKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700
This is done via a asp login status control-which is a link; when clicked
it
fires off the onloggingout event, which calls these two methods:
Session.RemoveAll();
Session.Abandon();
There's also the session timeout.
"Michael Nemtsev [MVP]" wrote:
Hello ch************************@discussions.microsoft.c om,
How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during
logout/expiration?!
>
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour
"The greatest danger for most of us is not that our aim is too high and
we
miss it, but that it is too low and we reach it" (c) Michelangelo
Thanks for your reply,
Yes, for the 1) one you mentioned, I'm afraid that's the case. the user has
to revisit the page if the original has got expired. That's the safe
strategy for that case.
Anyway, for expiring a page, we could only determine whether it should be
always un-cached on client-side, but not dynamically cache it or invalidate
its cache on client-side(depend on whether the user is logon or not).
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at: ms****@microsoft.com.
==================================================
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subs...#notifications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: =?Utf-8?B?Y2hlY2tyYWlzZXJAY29tbXVuaXR5Lm5vc3BhbQ==?=
<ch************************@discussions.microsoft. com>
>Subject: Re: Forms Authentication No Cache AND avoiding Web Page Has Expire
Date: Wed, 27 Aug 2008 10:16:10 -0700
>
Steven,
Thank you for your response.
I have two issues out of this one central issue.
1.) The users complaining that they can't use the browser's back button
to
>go back to one of these secure pages without seeing "Web Page Has
Expired,"
>and having to use a specific Back button that I've put on the pages in the
application, which does a response.redirect to a page and does NOT give
them
>this message. They want to be able to use the browser's back button and
have
>the page reload itself. Without getting prompted for a reload, or seeing
some error page in lieu of the real page they're trying to get to.
2.) I don't want the forms authentication pages to be available in cache
after the user has timed out or has logged off, so that some other user
using
>the same PC can come along and view the "secure" page later without even
logging into the system and have the proper authentication for role.
So it sounds like from your last post this might be difficult to do. Are
there any solutions?
"Steven Cheng [MSFT]" wrote:
>Hi,
Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability. NoCache);" to prevent
some
>pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?
If this is the case, I'm afraid it is quite difficult for browser base
web
>application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page
is
>flush out. Thus, if you originally enable cache for that page(when the
user
>is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by
the
>client browser since then. IMO, if security is the top priority, the
best
>approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?
Sincerely,
Steven Cheng
M
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: G-Fit |
last post by:
Hello group,
I use Forms Authentication in an intranet website. This website has a
framed default.aspx page : one left frame for a menu, one right frame for
the content. The menu depends on the...
|
by: Scott |
last post by:
Hi,
We're having an issue with Forms Authentication cookies being treated as
expired / invalid, and being deleted. This is causing our intranet users a
great deal of pain
- Running IIS 5.0 on...
|
by: john |
last post by:
I have 2 questions:
1. I am trying to use forms authentication. When the user logs out, I
make these function
calls:
Session.Abandon();
FormsAuthentication.SignOut();
But after they log out,...
|
by: Mike |
last post by:
1. For some reason after the session has ended and the authentication cookie has expired I'm not being redirected to the login page. Insted I'm be assigned a new authentication cookie? Anyone have...
|
by: Mike |
last post by:
I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have...
|
by: AVance |
last post by:
Hi,
I've come across this scenario in ASP.NET 1.1 with forms authentication
where the forms auth doesn't seem to timeout correctly, nor redirect to the
login page.
I have done some testing, and...
|
by: Tom.PesterDELETETHISSS |
last post by:
Hi,
I think this question requires an in depth understanding of how a browser
cache works. I hope I can reach an expert here.
I may have found a quirk in the asp.net documentation or I don't...
|
by: Mike Hofer |
last post by:
Okay, so I finally figured out forms authenticaton, to a degree and I
still have one question:
If a user walks away from my application, and the cookie expires, and
then he comes back, does...
|
by: Anuradha |
last post by:
Hi,
In web.config authetication tag is like this....
<authentication mode="Forms">
<forms name=".ASPXUSERDEMO" loginUrl="default.aspx" protection="All"
timeout="5">
</forms>...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
