Firefox caches original cookie value after I've made it null

[rewdee]

On my website an authenticated user will have a cookie value that I check as shown below:

sSessionUserLogin = trim(cstr(Request.Cookies(COOKIE_USER_LOGIN)))
If Len(sSessionUserLogin) > 0 AND sSessionUserLogin <> vbEmpty Then
  ///Do Stuff///
ELSE
  Response.clear                                           
  Response.redirect( "Login.asp")
  Response.End                
End If

When a user logs off the following code is run.

'Prevent caching on the client
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1	
Response.Expiresabsolute = Now-1  
Response.AddHeader "cache-control","dim"   
Response.buffer = true

Response.Cookies(COOKIE_USER_LOGIN) = ""
////More Stuff////

When a user hits the back button in IE, the user is correctly redirected back to the Login page. In Firefox, the user can go back to the previous page as if they had a valid cookie.

I noticed that after I used the back button in Firefox and then if I hit refresh, Firefox will then redirect me to the Login page. I'm surmissing then that the problem is that Firefox is caching the previous page and its values rather than checking the cookie.

Can anyone help me prevent this?

 

[DotNetGnat]

i thought you would face problems with IE but strange that you are facing problem with Firefox..

anyways...the best way to fix this is to attach a random string to the end of the URL.

-DNG

 

[FesterSXS]

Why dont you add a little bit of login checking code to the top of each secured page. This could be included in an include file if you like.

The code would simply check to see if the user is actually logged in. If not then they would get redirected back to the login page.

Maybe your login code could set a Session variable (in the ///DO STUFF/// section above.

sSessionUserLogin = trim(cstr(Request.Cookies(COOKIE_USER_LOGIN)))
If Len(sSessionUserLogin) > 0 AND sSessionUserLogin <> vbEmpty Then
  ///Do Stuff///
  Session("LoggedIn") = True
ELSE
  Session("LoggedIn") = False

  Response.clear                                           
  Response.redirect( "Login.asp")
  Response.End                
End If

Your code on each secured page would just check the value of that Session variable

If Session("LoggedIn") <> True Then
  Response.Redirect "Login.asp"
End If

Tony

Spirax-Sarco - steam traps control valves heat exchangers
Sun Villa - Luxury Florida accommodation

 

[DotNetGnat]

still that wont solve until he refreshes the page( thats what he was saying)...or may be i am missing something here...

-DNG

 

[FesterSXS]

true - but at least when the user tries to do anything from that page (like continue browsing through secured pages) the login check will send him back to the login page

Tony

Spirax-Sarco - steam traps control valves heat exchangers
Sun Villa - Luxury Florida accommodation

 

[rewdee]

Thanks for the prompt responses.

I've tried the Session variable too and as DotNetGnat pointed out the value is cached too so you are able to navigate backwards.

I should point outh that the user cannot browse through secured pages after using the back button because when the user clicks a link, the new page isn't cached and hence it is equivalent of hitting refresh which will redirect to Login.

Can anyone expand on DotNetGnat idea of "the best way to fix this is to attach a random string to the end of the URL."? Are you talking about adding a random query string to the url?

Thanks,
Rewdee