Solved

password protecting pages-disable history if session invalid

Posted on 2003-11-15
9
1,177 Views
Last Modified: 2007-12-19
I have a site using MS Access, ASP, and Javascript, which serves web pages from the database dependent on certain conditions.

My question concerns the administration side of the site. (The database is only accessed by the administrators - not viewers of site)

When the administrators want to edit their web pages they have to enter a password which allows them access to various parts of the site dependent on the level of access they have which is stored in a session variable.

What I want is to make sure that when their session is ended (after the default 20min), some other staff member can't hit the back button and access their pages.

I had a solution, but this involved not allowing any history access at all, whereas I want them to be able to access the history only if their session is not yet finished.

Cheers
Jenny
0
Comment
Question by:JennyRo
9 Comments
 
LVL 11

Expert Comment

by:Zontar
ID: 9757720
The only control you have over a user's browser history (as such) is the user of the location.replace() method, which substitutes a new page for the current one in the browser history.

You can use the following HTML tags to suppress caching:

<meta http-equiv="Content-Expires" content="Tue, 01 Jan 1980 12:00:00 GMT">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">

These are not 100% guaranteed to work in all browsers -- they're only "suggestions" and not "commands".

You should check the login session before peforming any other action on any of the admin pages -- you can't prevent someone from using the Back button to view pages from the history with 100% certainty, but you can certainly prevent them from taking any action once the session has been ended.
0
 
LVL 1

Author Comment

by:JennyRo
ID: 9758073
If I have a page which checks the session variable, how do I then send them back to their page with all their entries still there?

I tried javascript:window.history.forward(1); but this didn't seem to work - am I way off base here?

I also tried having a layer with the login form on it, and then responding to it in the same page the user is working on, but I had all sorts of problems here so I would prefer something involving a separate page.

Thanks
Jenny
0
 
LVL 11

Expert Comment

by:Zontar
ID: 9758344
> If I have a page which checks the session variable, how do I then send them back to their page with all their entries still there?

You're trying to do it backwards -- write an include that checks the login status and redirects to a login page if they're not logged in. Put in the include at the very top of each page.

0
 

Expert Comment

by:xcab
ID: 9758358
Though a little cumbersome, if this functionality is really that important I would do the following:

(1) Give each page a unique id
(2) When leaving each page, write a cookie that references the unique page id
(3) When loading each page, check for the existence of a cookie with that page's id. If it exists, load the data.

This page nicely explains it all:

http://codepunk.hardwar.org.uk/ajs27.htm
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:JennyRo
ID: 9759721
Why this is important is because there is alot of info that is being entered at any one time - a whole web page worth pretty much.

So if the session has expired I don't want them to lose all their data by being taken off to a different page to log in again.

Zontar - how would I get them back from the login page without losing their data - there is my problem.

I thought this would work->(javascript:window.history.forward(1);) - but it doesn't seem to

Cheers
Jenny
0
 
LVL 11

Accepted Solution

by:
Zontar earned 250 total points
ID: 9759881
You could always increase the length of the session timeout (believe you'd do this in the global.asa if memory serves correctly) -- or use a cookie that lasts until the user logs out or shuts down the browser.

history.forward() takes the user forward in the browsing history, what you want maybe would be

history.back();

or

history.go(-1);

to go back one page in the browsing history.

If you're using a link's href attribute then you need the javascript: protocol; if you're using an event handler, it's not required:

<a href="javascript:history.back();"></a>
<input type="button" onclick="history.go(-1);">

To redirect from a serverside script, you'd use something like

If [session is valid] Then
  Response.Write "<script type=""text/javascript"">history.back();</script>"
Else
  Response.Write "<p>Invalid Login -- please try again.</p>"
End If

or

If [session is valid] Then
  Response.Redirect Request.ServerVariables("HTTP_REFERER")
Else
  Response.Write "<p>Invalid Login -- please try again.</p>"
End If

You might need to store the referring URL in a session or querystring variable.

Does that help at all?
0
 
LVL 6

Expert Comment

by:DoppyNL
ID: 9762337
Simply make sure the session is destroyed when the user is logged out.
Also instruct your administrators that they must close ALL browsers when the log out and leave their computer; this will result in all pages be requested again (or at least ask the server if they've been updated). They are admins so they will know what they are doing. (otherwise I wouldn't make them an admin!)

Also check on every page if the user is logged in or not.

If you've done all this, then it won't be possible to see pages in your history that the person is not allowed to see.
0
 
LVL 1

Author Comment

by:JennyRo
ID: 9878871
That was pretty silly me getting that forward and back stuff muddled up.

I would like to know what this does in reference to my problem though:  
Response.Redirect Request.ServerVariables("HTTP_REFERER")

I haven't used ServerVariables except in a form validation sense.

I assumed it just redirected the page to the last page but it didn't seem to do anything

Cheers
Jenny
0
 
LVL 11

Expert Comment

by:Zontar
ID: 9878992
> I assumed it just redirected the page to the last page but it didn't seem to do anything

It should, but if you just load the page directly and haven't followed a link, then Request.ServerVariables("HTTP_REFERER") is empty.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Owl Carousel 6 173
WordPress/WooCommerce security best practices? 2 82
WCAG audit tools 1 72
.php tree directory? 5 56
Article by: Matthew
I am a very big proponent of technology compliance standards and strive to meet such criteria in all of my work. That includes my site, which is 100% XHTML 1.0 compliant as determined by the World Wide Web Consortium. https://www.matthewstevenkel…
Shoutout to Emily Plummer (http://www.experts-exchange.com/members/eplummer26.html) for giving me this article! She did most of it, I just finished it up and posted it for her :)    Introduction In a previous article (http://www.experts-exchang…
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now