I have a master page whit an OnInit event. In this event I check if a user is logged in (stored in the session). If not logged in, the user is redirected to the login page.

On my Home.aspx page I have a hyperlinkto Order.aspx with querystring id (both content page of the master page). When the link is clicked, the master.OnInit method is executed, next the order.Page_Load and finally the page Order with the correct id is shown.

Next when I click 'logout', the Session the is Cleared and Abanded, and the user is redirected to the Login page again.

But now, when I type in the adressbar http://localhost:51029/Order.aspx?id=1, both master.OnInit and order.Page_Load are NOT executed. But the order with id 1 is shown, even when the user is not logged in.
it looks like this has the same effect when clicking the 'Previous' button of the browser.

So I placed a label which text property is set to DateTime.Now on the pageload of Order. When I opened the page it's text is "2008-12-22 10:40:33". When I re-load the page via the Home page, the text changes into "2008-12-22 10:41:03". So the pageload is executed (like it should). But now, when I click logout, session is cleared and redirected to login. When I nog type the url in the adressbar, the page is loaded again and label's text is still "2008-12-22 10:41:03".

Am I doing something wrong, or is this a 'bug'? If it is, how can I solve it or is there any workaround?


EDIT: this only happens when the page is already been loaded. So, if I am at the login page for the first time, and type the url in the adressbar, the user is nicely redirected to the login page. So it only fails when the page is opened once, then logged out, and then type the url in adressbar

hi

To resolve this do the Following

In each and every page retrict the user from going back and in the master page load event and each and everypage, check if the session is new if its true redirect to the user to the login screen. like this

Restrict your users from going back with this code


Response.Write("<script> window.history.forward(1);</script>");


Check every page if the Session is New and redirect them to the login page like this


if (Session.IsNewSession)
{

Session.Abandon();

Response.Redirect("~/login.aspx");


}


Now when using this trick, if someone tries to bypass your Security and go directly to the order page ,it will go but the moment he tried to click anything , it will throw them back to the login page.

Try it you will see its Good

Hope it helps

There is a timer running on the order page, so after a second the pageload event still executes. and also redirected to the login page. But this looks not very nice.

But why does the pageload execute on firsttime load, and after this first time not (when the url is typed into the adressbar)

In each and every page retrict the user from going back
:thumbd::thumbd:
A VERY bad idea (although unfortunately it is used).

First it does NOTHING to address the issue. Second it is non-portable.

The proper thing to do is to inhibit caching of your page.

If you want to do this "very well", then you should use AJAX so that the static content CAN be cached, but the actual data is pulled from the server on each display.

I'am using AJAX. The timer is running on an UpdatePanel.

In order.aspx I added the next code

<%@ OutputCache Location="None"%>


Looks like it is loaded everytime now :)