Solved

reset the Server.requestvariables

Posted on 2002-03-04
10
480 Views
Last Modified: 2012-06-27
This is my scenario

1-Web site is running base on Windows NT Authentication
2-in default page I get
login_name= Ucase(Request.ServerVariables("LOGON_USER"))
3-I set the sessions
4-On each page I check the session to see if it is expired
5-If it is expired I want to force the user to re-login

Right now if the session is expired, I am forwarding them to login.asp but because Request.ServerVariables still exits they can start using the web site without re_login to the site.

Any idea?
0
Comment
Question by:prokni
10 Comments
 
LVL 23

Expert Comment

by:naveenkohli
ID: 6839392
Instead of checking for Session Expired.... add a flag to session variables indicating the user is valid. And when session timesout, set this flag to false. When the user tries to surf the site without logging in, you can check this flag right at the top of pge. If the flag is set, let the user go through otherwise redirect them back to login page..

<%
   if (Session("userLoggedIn") == false)
   {
      Response.Redirect("login.asp");
   }
%>
0
 
LVL 2

Author Comment

by:prokni
ID: 6839953
I guess, my question was not clear enough.
What you said is what I am doing right now.
Mt problem is, when I redirect them to login.asp, it won't ask the username and password anymore. it keeps the content of Request.ServerVariables("LOGON_USER") and will use that one again. I don't want that happens. I would like to force the user to login again.
BTW, Something is wrong on this web iste. I have not recieved email notification regarding your comments. I just checked it by mylesf.
0
 
LVL 23

Expert Comment

by:naveenkohli
ID: 6840789
Infact I did not see that that in your original question, you mentioned WIndows NT authentication. That informtion changes the scenario quite a bit. If you are using "WIndows Integrated" or inother words NTLM Challenge Response authentication, then you are out of luck. Because in this case, the user's credentials are not communmicated as clear text. In fact the client-server communicate with each other through a hash through whcih server authenticates the client. The user will only be presented with the dialog box if the authentication failes.

But if you are using Basic Authentication, then you can force the user to login again. When you redirect the user to login page because of session exipry, use the following code to force the relogin...

<%
 if (Session("redirectDueToSessionExpire") == true)
 {
   Session("redirectDueToSessionExpire") = false;
   Repsonse.Status = "401 Access Denied";
   Response.End();
 }
%>

The above code will force the logon/password dialog appear on client browser. And then user will have to relogin.

I hope this info helps.

Naveen

PS. EE seems to be having trouble with emails. It has been taking hours before you get any email for any question.
0
 
LVL 2

Author Comment

by:prokni
ID: 6841699
Unfortunate I am using both type of authentication.
(Windows integrated and basic one). I am using Basic because of Netscape users.
Any idea what to do in this scenario?
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 6841910
To get rid of the session variables:

Session.Abandon
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 2

Author Comment

by:prokni
ID: 6842164
Session.Abandon does not work. My problem is not session. my problem is request.servervariables keep the data and when i refresh th page, it won't ask for username and password anymore.
0
 
LVL 23

Expert Comment

by:naveenkohli
ID: 6842537
Winodws Integrated authentication takes precendense over Basic authentication. I don't see any way of accomplishing it with switching to Basic Authentication. Down size of this will be the user's will be presented with that anoyying Login/Password dialog box.
Here is a solution that you may want to consider. When you send 401 status code back to the user, you can oublish your intenet that you want to use basic authentication. And then force the user to enter login informaiton.

<%
if (Session("redirectDueToSessionExpire") == true)
{
  Session("redirectDueToSessionExpire") = false;
  Repsonse.Status = "401 Access Denied";
  Response.Addheader("WWW-Authenticate", "BASIC");
  Response.End();
}
%>


Naveen
0
 
LVL 2

Author Comment

by:prokni
ID: 6844389
Naveen,
I tried it and it did not work.
let me explain it again
this is my login.asp
login_name= Ucase(Request.ServerVariables("LOGON_USER"))
if IsAuth(login_name) then
response.redirect "pag2.asp"
end if

and also on top of each page
I check
if session("Session_started") <> 1 then
response.redirect "login.asp"
end if

when the session expired then I am redirecting them to login.asp.

WHere do you suggest to put your code, I put it in my session_check.asp file and it did not work.

Thanks for your help
0
 
LVL 2

Author Comment

by:prokni
ID: 6889907
Any more idea?
0
 

Accepted Solution

by:
ComTech earned 0 total points
ID: 7002210
This qustion has no defenitive answer, as I will place it in PAQ.

Regads,
ComTech
CS Admin @ EE
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now