G
gnewsgroup
I am using forms authentication for a web application.
Like many other member web application, my web application prints out
Welcome! John Doe (Logout)
on the top right corner of each protected page.
But, pages can still be visited by following the links in the web
application after a session has timed out, data can still be retrieved
from the database. I know the session has timed out because at the
top right corner I only see
Welcome! (Logout)
However, when a user explicitly signs out by clicking on Logout,
protected pages are no longer accessible, and they'll be redirected to
Login.aspx.
The code-behind of my logout page is this:
public partial class Logout : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Session["UserName"] = "Junk user name";
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}
}
I did the same thing in global.asax's Session_End method like so:
void Session_End(object sender, EventArgs e)
{
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}
I am wondering how I can really protect the protected pages when a
session has timed out. I must have missed something in this
authentication scheme. Please kindly give me a hint. Thanks.
Like many other member web application, my web application prints out
Welcome! John Doe (Logout)
on the top right corner of each protected page.
But, pages can still be visited by following the links in the web
application after a session has timed out, data can still be retrieved
from the database. I know the session has timed out because at the
top right corner I only see
Welcome! (Logout)
However, when a user explicitly signs out by clicking on Logout,
protected pages are no longer accessible, and they'll be redirected to
Login.aspx.
The code-behind of my logout page is this:
public partial class Logout : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Session["UserName"] = "Junk user name";
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}
}
I did the same thing in global.asax's Session_End method like so:
void Session_End(object sender, EventArgs e)
{
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}
I am wondering how I can really protect the protected pages when a
session has timed out. I must have missed something in this
authentication scheme. Please kindly give me a hint. Thanks.