ansaurus

Question

Sessions in asp.net

Answer 1

A:

rahul 2010-04-20 06:26:38

Thanks RahulCan u give a brief about disabling the caching.Thanks in advance

Indranil Mutsuddy 2010-04-20 07:27:25

`Response.Cache.SetCacheability(HttpCacheability.NoCache);`

rahul 2010-04-20 07:39:08

See http://msdn.microsoft.com/en-us/library/c4yy9w70.aspx

rahul 2010-04-20 07:39:48

Response.Cache.SetCacheability(HttpCacheability.NoCache);This code works fine in IE but not in Moz.Any suggestions.

Indranil Mutsuddy 2010-04-26 07:53:55

Answer 2

+2 A:

1) When the user logs out of the system I would recommend doing a Session.Abandon(). If the user clicks the Back button in the browser he might see the cached version of the old page (this is entirely browser dependant), but he won't be able to do anything anyway. Disable the caching in your pages and the user shouldn't even see the cached old version :) A simple way to do this would be to add the following into Global.asax's Application_BeginRequest:

HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache); 
HttpContext.Current.Response.Cache.SetNoStore();

2) In your web.config set the session lifetim to 10 minutes, incremental.. That will do the trick

  <system.web>
    <authentication mode="Forms">
        <forms defaultUrl="~/LoggedIn.aspx" loginUrl="~/Login.aspx" protection="All" path="/" slidingExpiration="true" timeout="10"/>
    </authentication>
  </system.web>

3) You can do this using authorization rules in web.config. If you want no anonymous users to access your website just enable access only to logged in users like this:

  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>

If you want to restrict access not to the whole website, but only to some areas (like the MyAccount area, then you can add this instead.. Note: Web.config can have multiple <location> elements!

  <location path="MyAccountFolder">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

There's one important note about the location tag. The Path does NOW start with a '/'! So if you want to secure the /MyAccount folder, then your tag will start like this:

<location path="MyAccount" />

Artiom Chilaru 2010-04-20 06:29:34

thanks buddyBut how to implement the no-caching thing???

Indranil Mutsuddy 2010-04-20 07:21:41

added an example into point 1)

Artiom Chilaru 2010-04-20 07:47:21

hi thanks 4 ur reply.I tried this on page_load event(pages thatcan be viewed after logged in only) if(session["UserId"]==Null) response.redirect("login.aspx")on login page i've session["UserId"]=txtBox1.textand somehow it works..Is it the correct way?

Indranil Mutsuddy 2010-04-20 08:03:24

Not really.. If you add the code from points 2) and 3) to your web.config then if an anonymous user accesses a page in your website and is not logged in - he will be automagically redirected to ~/Login.aspx. When he successfully logs in - he'll be redirected to ~/LoggedIn.aspx. As you can see this is completely transparent and configurable, no extra code needed in every page :)

Artiom Chilaru 2010-04-20 08:21:40

added another example in the bottom of the answer.. Don't forget to "accept" the answer if it answers your question ;)

Artiom Chilaru 2010-04-20 08:27:25

thanks Aritom, its a lot more help...thanks again 4 ur time.

Indranil Mutsuddy 2010-04-20 14:40:36

Hi ArtiomI did exactly the way u mentioned, but this i m facing problems like.1. after logging out(session.abandon()at its load event) when i click the back button it does goes inside and works as never logged out(i included the cache code, code #2and #3 as u said).2. After including the 'no cache' code my login page takes way too time(as it has pics slides ) and sometimes the css doesnt even load.3. Suppose i opened my login in Moz after logging in i copied the home url so when i log out and paste the url, the page does open w/o err

Indranil Mutsuddy 2010-04-20 19:01:02

4.When time elapse and i reload the page, it gets redirected to login page but the images and css are disordered.P.S I uploaded my project at the following linkhttp://www.4shared.com/file/ahtJUNN3/MyModifiedDesign20Apr.htmlplz have a look.I have not included the codes related to sessions and stuff there.Thanks a lot again.

Indranil Mutsuddy 2010-04-20 19:15:43

If you click the Back button, the browser will load the cached version of the page. in some cases, the browser will even ignore the no-cache headers. This doesn't mean that the page will work though. If you click refresh at this point, you will be thrown to the login page. So this is now a security issue at all.

Artiom Chilaru 2010-04-20 19:25:06

I would recommend removing the caching code. This way your pages will load faster, be cached, but the website will still be secure, so you don't have to worry :)If the user isn't redirected to the login page (from what you said in 1. and 3.) you didn't correctly set up the authorization rules from my third snippet.. Please check your configuration again. (I added a note in the bottom of the post about it!)

Artiom Chilaru 2010-04-20 19:29:39

thax 4 d quick reply...i tired to put all the secure pages into a folder but that also was showingsome parsing error...and about things u ,mentioned now i'll cross-check n let u know. Thanks again

Indranil Mutsuddy 2010-04-20 19:42:19

Works Fine thanks for ur support :)

Indranil Mutsuddy 2010-04-26 09:34:48

Answer 3

A:

You should generally use ASP.NET Forms Authentication for this.

When the Log Out button is clicked, call FormsAuthentication.SignOut. This will remove the forms-authentication ticket information from the cookie (or URL if cookieless).
For a timeout, use the timeout attribute in the system.web/authentication/forms element of your web.config. Note that your forms authentication timeout is independent of your Session timeout.

Joe 2010-04-20 06:41:42

Thanks a lot Joe for ur support..

Indranil Mutsuddy 2010-04-20 14:42:31

ansaurus

tags:

views:

answers:

Sessions in asp.net

related questions