I have written a server login routine consisting of several *.asp pages (ISII). It works fine, but there is nothing 'secure' about it. Two major problems involve:

1 - If a client browser simply simply uses the 'Back' arrow after 'logging off', the supposedly 'secure' server page is again displayed.

2 - If a client browser just sets the url to the server directory, the entire server subdirectory of files is displayed and any file can be accessed.

Questions:

1 - How do you block the browser from returning to a 'private' client's page which ideally should only be accessed by a proper login procedure and be unaccessible after that client logs out ?

2 - How do you prevent a random client browser from viewing a particular server subdirectory ?

Any comments greatly appreciated. Thanks. Mike

The back issue is an interesting one, as when you click back a majority of the time it is actually not your server they are looking at but a copy of the page stored in the local system (clients) cache. I myself am yet to find a perfect way to eliminate this issue.

However these are the things I can see to help you secure the system:

1. Upon authentication create a session storing that they are logged into the system.
2. When loading any page in the secure area check that this session variable is correct.
3. When logging out make sure you use a page that kills the session (hence not logged in) and then redirect to the logout screen, this way if they click back it will redirect (via ASP) them straight back to the logout screen.
4. If they happen to load any page without loggin in, the session will not exist and you can redirect them (via ASP) to a login screen.

You are able to make this more complicated but that is a basic routine that helps.

In IIS there are some header you can add that help store the page being cached, so if someone clicks back it will reload the page from the server and then check their authentication status and act appropriately. Have a look at the IIS website properties, and look in the HTTP headers, there is a expires immediately option in there.


The second part of you problem can be solved very similar to the first by setting a authentication routine, and checking that in the top of every ASP page, you will be able to detect illegal entry and redirect them back to your start page.

I hope this helps.

Thanks for the help.

Turns out that the directory browsing problem can be solved simply by changing a server setting that turns off that capability.

The other problem apparently results because, as you have suggested, the cached page is being viewed. I have been trying to find a header that sets some limits on how a page is cached, but have not yet found it (tryed MSDN Library and a number of ASP books that I have).

Does anyone have examples of such headers ?

Thanks again.

Mike

try these in the ASP code.

Response.Expires = 0
Response.Buffer = True
Response.ExpiresAbsolute = DateAdd("yyyy", -10 , Date)
Response.CacheControl = "Private"
Response.AddHeader "PRAGMA","NO-CACHE"

I have reasonalbe success with them.

For the IIS http headers open your IIS administration consol. Select the default website. Right click on it and select properties. Select the HTTP headers tab. Check the Enable content expiration box and select Expire Immediately. Apply and close.

An Microsoft guy show me this, but I am still not 100% sure how effective it it, but he reacons thats what you need.

I use IIS 5.1

--------------------------

Sorry I misunderstood you directory browsing issue, I thought you meant getting to secure pages, without actually logging into the system.

Another way to prevent your ASP page --- or any web page, for that matter --- from being backed into is to add this client-side JavaScript code:

<script language="JavaScript">
javascript:window.history.forward(1);
</script>
When the user leaves your page and hits the back button, this script will send them back to the page they just came from. Of course, this technique isn't secure (user could disable JavaScript) but it can augment the other techniques that you would use. From a security standpoint, the more you can do from the server, the better.

Darth's javascript routine works, unlike the other headers which dont seem to do anything.

But the javascript header on a page also prohibits the browser from backpaging any subsequent pages. This creates problems for the logged in user, depending upon how the blocked page is linked.

What one really needs is a 'logged in state' flag that can be checked.

Thanks all.

Mike

Thanks to Darth's suggestion as even I had this problem in my web site. This has helped me a lot.
I also have one more doubt its like I have done my project under ASP.net with javascript, the prblem is that whatever data I enter into the form is not to be seen in the access in which I would like the datas to be stored. If you help me with this problem.
Thanks in advance,