Login , Security failure when user click Back button??

[123ASP]

Ref:Login , Security failure when user click Back button??
hi I am about to deploy my web application but I need to have some kind of security on the
pages.
I have total of 5 aspx pages in my web application. I have created a login.aspx and
a default.aspx. The user first will put his username and password, then once he/she click
login, he will be directed to the default.aspx, where there is a menu at the top of all
aspx pages for navigation.

The login.aspx works fine to verify the user's name and password,so he/she can view all pages.
but when the user click on log out button, he will be directed to the login.aspx page.
this is perfect....... here is the problem.
if someone else used the same computer, and click on the back button on the browser, he will
view all the aspx pages.. so there is no security, not only that if another person who is not
authorized copied the URL address and saved it , he will always be able to log into the site
and view all the pages.

How can I prevent such thing. Here is the code I am using to create the login.aspx

<%@ Import Namespace=&quot;System.Web.Security &quot; %>

<html>
<script language=&quot;VB&quot; runat=server>
Sub Login_Click(Src As Object, E As EventArgs)
If (UserName.Value = &quot;bob&quot; Or UserName.Value = &quot;Mark&quot And UserPass.Value = &quot;Guest&quot;
FormsAuthentication.RedirectFromLoginPage(UserName.Value, PersistCookie.Checked)
Else
Msg.Text = &quot;Invalid Credentials: Please try again&quot;
End If
End Sub
</script>
<body>
<form runat=server>
<h3><font face=&quot;Verdana&quot;>Login Page</font></h3>
<table>
<tr>
<td>Email:</td>
<td><input id=&quot;UserName&quot; type=&quot;text&quot; runat=server/></td>
<td><ASP:RequiredFieldValidator ControlToValidate=&quot;UserName&quot; Display=&quot;Static&quot; ErrorMessage=&quot;*&quot; runat=server/></td>
</tr>
<tr>
<td>Password:</td>
<td><input id=&quot;UserPass&quot; type=password runat=server/></td>
<td><ASP:RequiredFieldValidator ControlToValidate=&quot;UserPass&quot; Display=&quot;Static&quot; ErrorMessage=&quot;*&quot; runat=server/></td>
</tr>
<tr>
<td>Persistent Cookie:</td>
<td><ASP:CheckBox id=PersistCookie runat=&quot;server&quot; /> </td>
<td></td>
</tr>
</table>
<asp:button text=&quot;Login&quot; OnClick=&quot;Login_Click&quot; runat=server/>
<p>
<asp:Label id=&quot;Msg&quot; ForeColor=&quot;red&quot; Font-Name=&quot;Verdana&quot; Font-Size=&quot;10&quot; runat=server />
</form>
</body>
</html>


====================
This is what is in the config file

<?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?>
<configuration>
<appSettings>
<add key=&quot;MyDb&quot;
value=&quot;server=(local); database=myDB; integrated security=SSPI&quot;/>
</appSettings>
</configuration>

I appreciate your help in guiding me to the best way to secure my site.
thanks alot
Al

 

[dragonwell]

The Back button does not actually cause a new request to be made, so if you were to use the Back button after logging out, even though you see what the last person sees, if you try to refresh the page you will be redirected to the Login page. It seems as though Internet Explorer will not show a page that was served via a POST request, and gives you the &quot;Page expired&quot; message. So maybe if just SEEING the content on a certain page is a huge security risk, have all that content displayed only as the result of a POST command (PostBack).

 

[Joulius]

Another idea is to use Session.Item collection. It's not full proof, but it will do its job.
Once your user login successfully, make a

Session.Item("login")=1

, put this code

If not Session.Item("login")=1 then Response.Redirect("login.aspx") end if

on every page that you have inside Page_Load Sub and on logout Sub, before redirecting your user to the desired page, add this code

Session.Abandon()

.

 

[123ASP]

Thanks for your reply,
It worked, what I did, is taking the log name and password, compared them to the database,and if exist,I created a Session.Item(&quot;login&quot=1 and put this in every page
If not Session.Item(&quot;login&quot=1 then
Response.Redirect(&quot;login.aspx&quot
end if

Now the question, how safe this type of security? or is there abetter way to secure a web site
thanks
Al

 

[Joulius]

This seems to be the best non-operating system authentication method to secure a web site.
Only thing to add: in your logout code, use:

Session.Abandon()
FormsAuthentication.SignOut()

 

[bboffin]

In combination with the other suggestions above you might also take a look at the DOM location.replace method which effectively allows you to cover your tracks so that the browser Back button won't remember the logon page.

You could call this as you leave the logon page with a suitably safe URL.

 

[123ASP]

hi I am not familiar with DOM location, Do you mean Document Object Model ?
please elaborate more and thanks for your help
Al

 

[bboffin]

The DOM is the Web Browser Document Object Model.

The DOM 'document' object has a property called 'location' and that has a method called 'replace'.

 

[davidggweb]

Hi,

Try the following:
1.-Edit the web.config file and modify these two sections
This section specify the path and name for your login page:

<authentication mode=&quot;Forms&quot;>
<forms loginUrl=&quot;Secure/Login.aspx&quot; />
</authentication>

The following will prevent anonymous user to get into your site with no valid username and password:

<authorization>
<deny users=&quot;?&quot; />
</authorization>

2.-Then, in your login.aspx (or any other name you use), after the username and password are verified, make sure to call this method:

FormsAuthentication.RedirectFromLoginPage(YourUserID, False)

False is to avoid saving the information in a cookie. Read help for more details. This will redirect your application to the page you were calling. Actually, how this work is using some kind of session data since if the session expires, the app redirect you to the login page again. If someone comes to a workstation and copy a query string from the address box and try to use it later, the application automatically redirect the user to the login page, you don’t need to write any additional code for this.

3.-You need to add the following import:
Imports System.Web.Security

4.-then you can cehck on every page is the user is authenticated using the following sentence:
context.User.Identity.IsAuthenticated (Read help fpr more details). Otherwise redirect them to the login page. To be honest with you I tried without this validation and it works but I don’t know how secure it is.

5.-Create a logout form where you run the following sentence to release the authentication environment:
FormsAuthentication.SignOut() (I never try this actually, but it should work, test it and let me know)

I'm not an expert in ASP.NET, I'm actually working securing my application and this is what I found during my research.

I hope this help you, let me know.

David

 

[dragonwell]

The previous post is an accurate summary of FormsAuthentication. I think the original question was about how to handle the the fact that even after you log out, abandon the session, SignOut() or whatever, using the back button of the browser will display the html of the last GET request made. In this event, NO request os made to the server and therfore no authentication can take place. Now, only if a new request is made to a restricted page after signing out will any authentication take place and the browser will be redirected to the Login page. For this reason, I still stand behind my original answer in that the only way to prevent the html from the last authorized page from being viewed after log out is to make that last html the result of a POST (not a GET) which causes the browser to show the &quot;Page is expired&quot; message.

I hope this helps and clears up any confusion! (or at least adds something to consider).

Best Regards,

David

 

[davidggweb]

dragonwell,

After I replyed to 123ASP, I tryed here creating myself the logout page and it is right, you see the last HTML we got back from the server, but how do I make the app to make the last HTML the result of a POST and not a GET so the explorer show me a &quot;Page Expired&quot; message?

Thanks,

David

 

[dragonwell]

I have been thinking that an easier way would be to force the browser to make a new request, even during a &quot;back button&quot; request. This could be done by setting the cache policy expiaration to some date in the past, which would force the browser to never cache the page, and thus always request a new version even during a &quot;back-button&quot; move.

HTH

 

[123ASP]

Good to know such thing exist, can you please tell me where to find the cache Policy expiration page ?
thanks
Al

 

[dragonwell]

One or more of the following on your page should do the trick.

Response.Cache.SetAllowResponseInBrowserHistory(false);
Response.Cache.SetNoStore();
Response.Cache.SetExpires(DateTime.Now.AddYears(-10));

HTH

 

[123ASP]

thanks will try that

 

[Zarcom]

FAQ855-3257

has alot of useful bits of information. But specifically, you can put:

<script language=javascript>
history.go(1);
</script>

on any pages where you do not wish for your users to go 'back'.

The solution that dragonwell has suggested will give the users a &quot;Warning - Page Expired&quot; message when they click back, whereas this solution will actually prevent them from moving back at all


That'l do donkey, that'l do
Mark
If you are unsure of forum etiquette check here faq796-2540

 

[davidggweb]

Zarcom

I'm sorry I can't make it work. I place the script as a startup script but it doesn't work. It could be the time, I'm tired already.

Thanks,

David