ASP page expiry / refresh

newman

Hi all

I am working on a small web project using ASP that requires the user to navigate using the naviagtion provided in the pages and will log them out if they use the standard back, foward or refresh buttons. Ive been looking at the aib 24 online site which does exactly this. I can see how they are getting pages to expire by making every page a form submit. What I cant figure out is how, when the expiry warning appears and the the user hits refresh - they are logged out and redirected back to the login page.

Anybody any idea how its done ?

Thanks in advance

P

Talliesin

Gah, what an evil thing to do.
I suppose you could put an incrementing value into a hidden field and the log them out if they resent the same value. Hardly a graceful solution, but then the whole concept is anti-web and you're doing it on the web, so it's not likely to be graceful really.

Seth Brundle

just use a session variable called something like isLoggedIn and set its default value to false. when someone logs in theie variable becomes true and when they logout it becomes false again.
have a check on each page to see if isLoggedIn =true and if not then redirect them back!

newman

Thanks for the replies. Talliesin, not sure how the incrementing counter would work. How would you distinguish between a proper page load and a refresh ?
kbannon, the problem isnt how to determine if someone is logged in or not. It is to determine when the user has hit the refresh or back button and if so log them out and redirect.

P

Seth Brundle

the only other thing I can think of is to set a session variable or cookie value called lastPage with a value. Every page you visit sets the value of the previous page (using request.servervariables("http_referer") which is not always guarranteed to work). However before it sets a new value it checks to see the curent value is equal to itself - if not then OK else redirect them.
does that make sense? No? Neither does the logic of the design!

Drakar

Ideally you want to allow your users to use back forward refresh etc, and have logic in the pages which only redisplays information rather than actually performs the page process again. So for example, if a user goes to a shopping website, and clicks Purchase on the purchase page, they should be able to refresh the page (which would redisplay the details of what they have purchased without kicking off a second purchase). Normally this works by tracking what page in the process they are on in a session variable, and then comparing this to the value for the current page to determine if they have went back, forwards or refreshed.

However, if you want to actually prevent them there navigating outside the page navigation methods, there are a number of ways this can be done. One is to use the approach above, but instead of redisplaying the content to the user, instead redirect them if a non standard navigation is performed. This is quite tricky to perform though.

The counter method is easy to do. When you start a session, store a value for the user, say 'pages=1'. Then, for every link on the page pass encode the value nextpage=pages+1 either in a hidden variable on the page, or in the URL (normally this is done with a method which writes the ahref tags in a standard format aswell). Then at the start of each page, check that the value for pages stored in the session is 1 less than the value passed in the URL (or the hidden field in the form).
So for example, user logs on: set session variable pages=1
Display the html to the user, encoding all links to pass nextpage=2 in the link. So if the user clicks Purchase, they will call the purchase page passing the value nextpage=2 in the header. At the top of the Purchase page, the asp code should check that nextpage = pages+1. If it doesn't, it means that the user has navigated to this page in a non standard way. It's a bit icky design wise, but its easy to implement.

blindasfcuk

Hey newman I just started my work experience with the AIBs web dev team so I'll try and find out how they did the log out in the 24hr online and I'll let you know how they do it. Cant log into boards.ie in work god dam websense keeps me out tight as a ducks ass security wise in there but I'll try and post again 2moro night!