After implementing form authentication and clearing session user can access page

Question

User1052662409 posted

Hi All,

Below is my code for login page.

protected void btnLogin_Click(object sender, EventArgs e)
    {
        if (Do_Login())
        {
            Session["user_name"] = txtUserName.Text.Trim();
            FormsAuthentication.RedirectFromLoginPage(txtUserName.Text,false);
        }
        else
        {
            WebMsgBox.Show("Invalid user name or password !");
        }
    }

And below is my webconfig code

<authentication mode="Forms">
      <forms defaultUrl="~/Dashboard.aspx" loginUrl="~/Login.aspx" slidingExpiration="true" timeout="2880">
        </forms>
      </authentication>

and on logout button I have a  a href link which redirect to the login page. On this login page's page load event I am clearing the session like below

protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            Session.Clear();
            Session.Abandon();
            Session["user_name"] = null;
           
        }
    }

But still after logout if user use the back button of browser and goes back to some pages (without login), he/she can access all pages, where as it should go to login page as session has expired.

Why it is happening?

Please suggest.

 

Answer 1

User475983607 posted

Why it is happening?

IMHO, storing the same information is two different state management frameworks is not a good design approach because it requires synchronizing the two frameworks.  I recommend dropping the Session logic as it redundant.

I believe, the main issue is browser caching.  You can easily verify on your own by opening dev tools (F12) and viewing the network trace.  Click the back button and you should see the page is loaded from cache not the server.

The ASP.NET docs cover cache and how to disable caching.  Go through the docs.  Keep in mind, this is a pretty common scenario that been around a long long time.  So there is a lot of information out there on the Internet.

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/moving-to-aspnet-20/caching

https://support.microsoft.com/en-us/help/323290/how-to-cache-in-asp-net-by-using-visual-c-net

Answer 2

User1724605321 posted

Hi demoninside9,

You can try clear the Authentication Cookie and Session Cookie to logout user in authentication :

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");
HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

FormsAuthentication.RedirectToLoginPage();

Reference : https://stackoverflow.com/questions/412300/formsauthentication-signout-does-not-log-the-user-out

Best Regards,

Nan Yu