Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 193
  • Last Modified:

How to control the users access when they go out of application!

I have an asp application. I want to control the users access when they go out of the application, ie. if they browse some web site after they login to the application, www.yahoo.com, and tries to come back, using back button,  to application, it has to point to login screen instead of allowing to previous page.
1 Solution
One way would be to expire each of your pages, which prevents the user from using the BACK button to any of the pages on your site and then incorporate hidden POST data that is passed between each of your pages. If a page request is received and the hidden form value is not there you can then redirect them to the login page.

To prevent the user from manually entering the URL, including the field/value you will also need to check to see if the request method was a GET or POST. Manually entering the field/value would register as a GET method. The request object should include a way to determine the request method.

This would require you use POST methods for every link which may not be feasible.
if you expire cache, the server will mimic the post exactly the same way you did the first time, you'll need to add incremental logic to see if the counter is a repeat.

otherwise go complete opposite and make sure pages don't expire.
keep data in a hidden form parameter and detect if the data is saved.  browsers will try to restore the saved data when people uses back and bingo..

here's an exerpt with someone getting this to work..
Depending on how serious you are about this, here is one solution:

For every link include an onclick=function().
For every page include an onload=checkstate() and onunload=updatestate().

This function will populate a textbox in a form visible but maybe outside the viewing area (i'll explain in a minute).

Whenever the function() executes, you should populate the textbox with something like a "Y".  The link still gets executed along with the function so the page navigates.  Also, the updatestate() function gets executed everytime a page changes.  You want this function to set the value of the textbox to "N" only when the value is not "Y".

The checkstate() function will run on every page load (the first hit, the second hit via back button, etc.).  This function will check the textbox for a value of "Y" or "".  If this is true do nothing, allow the page to load but reset the value of the textbox to "".  Otherwise, redirect to your login page.

When the user hits their back button only certain objects are cached by default in IE and NS.  Textboxes will keep their last text when the page was changed.  The trick is to make the textbox (not hidden) appear on the page but somewhere that the users won't see or interact with.  I have typically located this inside a floating layer which is set to hidden.  The textbox itself is visible so the cacheing scheme utilized by IE and NS will remain intact.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Dean OBrienCommented:
Have your ASP login page open up in a new defined window (location, address bar disabled etc).  Then use session("Permission") variable to allow people access [i.e. if login is successfull asign = 'YES'].  

Then at the begining of each ASP page use "If session("Permission") = 'Yes'"  to control access. This way with the address bar missing the user can not go to yahoo then back.   The only way to go to yahoo is to close the window (thus closing the session, only way back through login), and open a new browser.

Might have missed something, but if not this is quite a simple approach.

easynow111, unless the user presses Ctrl + N and then changes the URL.

- OR -
Alt + N in Netscape.

Dean OBrienCommented:
valid point, did seem a little too easy!
PAQed - no points refunded (of 50)

Community Support Moderator

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now