Introduction
Generally when any user login in any web application, we store some value in session. The session continues the user existence until logout. After logout we clear/abandon the session and redirect to login page. In that state the user is out of website and the secret information is now secure or nobody is authorized to view/access the information.
But the problem is now, from this redirect login page if user clicks the back button of browser, it again goest to the previous visited page although the page is already logged out. The main reason is browser’s cache. Because while user logout the session then the session is abandon in server side. But after click the back button of the browser, the previouse page is not postback, the client side just opens from cache. It only works if the back page refresh/relaod, because in that period the page becomes postback.
The common problem has many solutions but each and every solution has some limitations. Let’s see the existing solutions those we can find easily in searching.
Existing Solution 1: Clear cache/no-cache
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
Response.Cache.SetNoStore();
Limitations:
- Server Side code and for that it’s not works without postback.
- I have to clear my cache in force (I don’t want to clear my cache)
Existing Solution 2: Use meta tag for no-cache
<meta Http-Equiv="Cache-Control" Content="no-cache">
<meta Http-Equiv="Pragma" Content="no-cache">
<meta Http-Equiv="Expires" Content="0">
Limitations:
- This is not possible because Back history is maintained by browser, you will need to close the window
- I have to clear my cache in force (I don’t want to clear my cache)
Existing Solution 3: Clears browser history and redirects URL
<SCRIPT LANGUAGE="javascript">
{
var Backlen=history.length;
history.go(-Backlen);
window.location.href=page url
}
</SCRIPT>
Limitations:
- Same limitation like solution 1: Not working in all browsers, moreover I have to clear my history although I don't want to do this.
Existing Solution 4: Call Javascript from server side to clear cache
Page.ClientScript.RegisterStartupScript(this.GetType(),"cle","windows.history.clear",true);
Limitations:
- Server side code so it not works without postback again moreover I have to clear my history although I don't want to do this.
Alternative Solution:
From the above explanation, we can understand that when the user clicks on back button of browser, the client side loads only. Even no postback happens in that period. For that I handle the problem on client side. You can think that if we check the session value in client side with javascript then problem will solve? My answer is: NO. Because when we clear/abandon the session value, its value changed only server side but the value which already taken with javascript variable, it stores on cache also.
The only one solution is if we can check the server session value from client side on loading moment, then we can overcome this issue.
Analysis of Code:
Login Page: Login process is very common like I store a session value while login successful.
protected void btnSave_Click(object sender, EventArgs e)
{
Session["user"] = "user:Desme-BD";
Response.Redirect("/frmContentHome.aspx", true);
}
I have stored "user:Desme-BD" in session "user"
Master Page(Server Side): In content page I have checked the session value or Redirect the page to Login page.
private void CheckLogin()
{
string domain = Request.Url.Authority.ToString();
BaseURL = "http://" + domain + "/";
if (Session["user"] != null)
{
lnkLogin.Text = "Logout";
lnkLogin.PostBackUrl = BaseURL + "frmLogout.aspx";
}
else
{
Response.Redirect(BaseURL + "frmLogin.aspx", false);
}
}
Logout Page: I also clean the session value while logout with those common methods.
Session.Abandon();
Session.Clear();
Session.RemoveAll();
System.Web.Security.FormsAuthentication.SignOut();
Response.Redirect("frmLogin.aspx", false);<span style="font-size: 9pt;"> </span>
The Method which checking Server's Session with Client Side:
Master Page(Client Side):
On ASPX page I use the Jquery with JSON and checking the Session value with
LogoutCheck() WebMethod.
<script type="text/javascript">
$(document).ready(function () {
CheckingSeassion();
});
function CheckingSeassion() {
$.ajax({
type: "POST",
url: "frmLogout.aspx/LogoutCheck",
data: "{}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function (response) {
if (response.d == 0) {
window.location = '<%= BaseURL %>' + "frmLogin.aspx";
}
},
failure: function (msg) {
alert(msg);
}
});
}
</script>
The
LogoutCheck() WebMethod is checking the session value from application server on client side loading moment.
I created this method on frmLogout.aspx page like this:
[WebMethod]
public static int LogoutCheck()
{
if (HttpContext.Current.Session["user"] == null)
{
return 0;
}
return 1;
}
Now, when user logout the page it redirect to logout page and clears and abandon the session values. Now when user click back button of browser, the client side only loads and in that period the
CheckingSeassion()WebMethod fires in JQuery and it checks the session value LogoutCheck() WebMethod. As the session is null the method returns zero and the page redirect again in login page. So, I don't have to clear the cache or clear any history of user's browser.
Download the solution-> browse frmLogin.aspx -> give any password and Login-> now Logout-> click back button on your browser and notice.
Advantage:
- Works on client side page load. No need to postback because its calling with ajax.
- No need to remove cache/history
- No need to disable back button of web browser
Limitations:
This tips has also a limitation that when user click the back button of browser, the back page show for 1 or half second because of execute the WebMethod.
..................
[Reference from codeproject Articles...]
No comments:
Post a Comment