AndyGB4
Posts: 122
|
| Posted: 03/25/2013, 2:18 PM |
|
Hi everyone,
I'm running into a strange problem that I've never encountered before.
I have a login page, and many other pages that are restricted to only show to users that are logged in. Simple enough.
But for some reason, the restricted pages are still showing up, even if you are not logged in.
I loop through all active sessions in a test page, so I can see for sure that the user is NOT logged in.
What can be causing this? Thanks.
|
 |
 |
Lucius
Posts: 220
|
| Posted: 03/25/2013, 2:30 PM |
|
Just a guess...
Have you checked that this is not only a case of pages being cached by the browser?
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 03/25/2013, 2:43 PM |
|
yup. I cleared cache and everything, tried on different browsers too. always the same result.
|
|
|
|
Lucius
Posts: 220
|
| Posted: 03/25/2013, 4:36 PM |
|
The restricted pages have a single call to CCSecurityRedirect function in their base PHP file.
This function is defined in Common.php and uses CCSecurityAccessCheck function to find if your user is in appropriate user group. This function is also defined in Common.php and it uses CCUserInGroups to finally check if user is in defined groups...
Those functions are not complicated, just some basic checks and I don't see anything that could cause such behavior.
What I could think of, and again it;s just a guess, is that the session variable for group ID is not cleared every time your user is logged out...
But to be 100% sure I would modify those Common.php functions and add some debugging logging to save the exact states and variables of all of those functions. Then run my web page until I encounter the bug again. When it would show I would check the logs to see what is the issue here,
Unless someone had the same issue and solved it before, I think that's the only way to go.
|
|
|
|
cvboucher
Posts: 191
|
| Posted: 03/26/2013, 1:21 AM |
|
ASP.Net InMotion uses its own MembershipProvider (MTMembershipProvider) that uses the built in ASP.Net forms authentication. Check HTTPContext.Current.User.Identity.IsAuthenticated (returns Boolean) to see if you are still logged in and HTTPContext.Current.User.Identity.Name to see who is logged in. There is a setting in the Web.Config that determins how long a user will stay logged in for. I think the default is 12 hours.
Today I added the Logout action to my Login page in CCS5 but it didn't add any code. So I had to copy the code from a CCS4 app.
HTH,
Craig
|
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 03/26/2013, 10:51 AM |
|
I put this in my login page before initialise:
CCSetSession("UserID","");
CCSetSession("GroupID","");
_________________
Central Coast, NSW, Australia.
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 03/26/2013, 11:56 AM |
|
Hmm interesting. Thanks for all the possible solutions,
I'm going to be doing some debugging today for sure!
And I wanted to add that the GroupID and UserID sessions are both being cleared properly when I logout. Ok, time to start debugging!
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 03/26/2013, 5:47 PM |
|
cvboucher, I'm having trouble getting the values of those 2 properties you showed me.
I've tried using
Response.Write(HTTPContext.Current.User.Identity.IsAuthenticated);
but I get this error:
The name 'HTTPContext' does not exist in the current context
I tried adding "System.Web." in front of it, but it didn't like that either. What is HTTPContext in?
|
|
|
|
cvboucher
Posts: 191
|
| Posted: 03/27/2013, 1:12 AM |
|
It looks like you are using C# which is case sensitive. Try HttpContext.Current.User.Identity.IsAuthenticated
Sorry about that. I'm a VB'er and sometimes forget about the case sensitivity of C#.
Craig
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 03/27/2013, 6:19 PM |
|
You were right cvboucher, the "Http" change did it.
And with those 2 lines of code, I could see that I am in fact still logged in!
The results were:
Logged In: True
User: admin
So even though all the Sessions like UserID and GroupID and all that are cleared and erased, I am somehow still logged in.
Anyone know what C# InMotion does differently that would keep me logged in?
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 03/27/2013, 6:21 PM |
|
Oh! Actually, that test was done with the website just kinda of lying around, so the Sessions expired but I was technically still logged in.
Now I tried actually going to my logout page, and this time, it returns False, therefore I am in fact logged out.
So we're back to me being logged out, but still being able to access restricted pages...
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 04/09/2013, 5:24 PM |
|
I still haven't figured out what's causing this...
I even recreated my login page with the authentication builder, but I still get the same problem.
|
|
|
|
mrachow
Posts: 509
|
| Posted: 04/16/2013, 6:28 PM |
|
We had added to all HTML pages the following lines
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="cache-control" content="no-cache">
to prevent caching and let the pages expire immediately.
When pages expire immediately they should always requested from the server anew never ever showing legacy content.
By requesting it the actual user should be validated.
_________________
Best regards,
Michael |
|
|
|
