PeterJ
Posts: 90
|
| Posted: 02/22/2005, 8:55 AM |
|
Can you assist with a log out problem. I have created a login facility to access restricted pages. When the user logs in they are direct to a particular page so that they can access a menu system allowing access to restricted pages. This works fine however when they log out I have discovered that simply by hitting the back button on the browser the user is taken back to the restricted page and not the login page. I would have expected the session to have ended and an attempt to go back would result in the user being sent to the log in page.
I can’t seem to identify where I have gone wrong with this and I think I am missing the obvious.
Thanks
|
 |
 |
peterr
Posts: 5971
|
| Posted: 02/22/2005, 11:02 AM |
|
Peter,
This is normal.
Web browsers don't know anything about sessions being ended on the server. Thus the Web browser only displays cached page. I tested the same behavior with Google and I could also go back and see some restricted pages after I logout.
Thus I don't think that it's a big problem unless you're in an environment where anauthorized people can walk up to someone's desktop and play with it. In such case you may have a bigger problem than just a back button. The pages are usually stored in Web browser's cache anyway, so someone can access them from the hard-drive as well, plus steal other sensitive data from the computer.
Though if you want to disable caching at the cost of slowing down your server performance then you can turn off the "Improved HTTP caching" property for your project (look in Properties window after clicking on the project name in the Project Explorer). You can also control page caching via HTML META tags.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
PeterJ
Posts: 90
|
| Posted: 02/22/2005, 11:15 AM |
|
Thank you peterr
I hadn't really noticed this before oddly enough. Possibly the way I had set up the sites.
I understand what you are saying and thank you for the taking the time to comment.
PeterJ
|
|
|
|
Damian Hupfeld
|
| Posted: 02/22/2005, 2:03 PM |
|
Additionally I have found that it doesnt always actually log you out - its
not just the BACK button that allows you back in, but also actually clicking
on a restricted link shows that you are not logged out.
I believe that the LOGOUT function should not be on the AFTER INITIALISE but
on the BEFORE SHOW for the page. Try it and I think you will find that it
does actually log you out.
I think it is an application error personally.
regards
Damian Hupfeld
http://www.nexthost.com.au/services.php
|
|
|
|
peterr
Posts: 5971
|
| Posted: 02/22/2005, 2:39 PM |
|
If this happened then indeed there would be a problem.
I personally don't believe that this happens in a "normal" application, unless something was customized incorrectly. In such cases our support may also be able to help.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
Damian Hupfeld
|
| Posted: 02/22/2005, 3:10 PM |
|
This is my experience - mind you I havent tested it with the current
version.
"peterr" <peterr@forum.codecharge> wrote in message
news:5421bb494dc54b@news.codecharge.com...
> If this happened then indeed there would be a problem.
> I personally don't believe that this happens in a "normal" application,
> unless
> something was customized incorrectly. In such cases our support may also
> be
> able to help.
> _________________
> Peter R.
> YesSoftware Forums Moderator
> For product support please visit http://support.yessoftware.com
> ---------------------------------------
> Sent from YesSoftware forum
> http://forums.codecharge.com/
>
|
|
|
|
PeterJ
Posts: 90
|
| Posted: 02/23/2005, 11:41 AM |
|
Hi
Damian is partly correct (in my case). The logout is in the before show event not the after initialise BUT when logged out I can still get into the "secure" pages by clicking on the links on the login page or paging back. Something is wrong. I've reported it to the support team
|
|
|
|
klwillis
Posts: 428
|
| Posted: 02/23/2005, 11:52 AM |
|
What happens when you run your application through a secure
connection (https:// protocol) ?
Quote PeterJ:
Hi
Damian is partly correct (in my case). The logout is in the before show event not the after initialise BUT when logged out I can still get into the "secure" pages by clicking on the links on the login page or paging back. Something is wrong. I've reported it to the support team
_________________
Kevin Willis, VP/CIO
HealthCare Information Technology Specialist
http://www.nexushealthcare.com
"Fast - Convenient - Quality-Care"
Medical Software Consulting Services
Email : klwillis@nexushealthcare.com
Skype : klwillis2006 |
|
|
|
PeterJ
Posts: 90
|
| Posted: 02/24/2005, 4:49 PM |
|
klwillis, I haven't tried your solution however, I think have located the problem. When I use the builder to create a login form the builder does not create an after initialize event. When I compare this with the EmplDir example in the sample pack it is in place. If I add the after initialize event to the newly created login form it works fine and I cannot return to the secure pages. If I right, I think this is a bug that needs a quick fix otherwise users will have a serious problem however I am awaiting a response from the support team.
|
|
|
|
sbwtxj
Posts: 27
|
| Posted: 02/24/2005, 5:31 PM |
|
PeterJ,
This is my experience,but for JAVA,i think this is adapted to PHP.
At first,i create the includable file which is named header_maintain.
This source file content is the following:
<form action="?logout=true" method="post">
<table cellspacing="0" cellpadding="0" width="50%" border="0">
<tr>
<td align="left" bgcolor="#ccffff"> {UserLabel}</td>
<td align="left">
<!-- BEGIN Button LogOut --><input type="submit" value="logout" name="{Button_Name}"><!-- END Button LogOut --> </td>
</tr>
</table>
</form>
The logout parameter in action string applys for the header_maintain page's server side AfterInitialize event. The code is the following:
//Event AfterInitialize Action Custom Code @6-44795B7A
if (e.getPage().getRequest().getParameter("logout") != null) {
com.codecharge.util.Authenticator auth = com.codecharge.util.AuthenticatorFactory.getAuthenticator( e.getPage().getRequest() );
auth.setRequest( e.getPage().getRequest() );
auth.setResponse( e.getPage().getResponse() );
auth.invalidate();
e.getPage().setRedirectString(""); //String can be index.xxx Or is blank
}
//End Event AfterInitialize Action Custom Code
The second,i provide the friendly information for login user.
The server side BeforeShow event' s code of the page is the following:
//Event BeforeShow Action Custom Code @4-44795B7A
String loginName=Utils.getUserId(e.getPage());
if (loginName!=null){
loginName=DBTools.toSql(loginName,JDBCConnection.TEXT, "crm");
loginName=(String)DBTools.dLookUp("g_zwxm","T_grxx","g_username="+loginName,"crm");
}
e.getControl().setValue("<font color=green> Welcom </font><font color=red>"+loginName+" </font> !");
//End Event BeforeShow Action Custom Code
I think this way can give some help.
Thanks,
shanbw
_________________
----------------
Regards,
shanbw |
|
|
|
