0

I have 3 users and a login page is provided for them. when a user is login, the user is directed to their respected pages. But the problem when a user once click the BACK BUTTON of the browser they should not be allowed to access the pages without providing the login credentials again. LoginPage.cs

protected void bLogin_Click(object sender, EventArgs e)
{

        datatable = methodobj.getData("select regd_no, pword,user_type from stu_info where regd_no='" + tbUName.Text + "'and pword='" + tbPword.Text + "' ");

        if (datatable.Rows.Count >= 1)
        {
            if (string.Compare(Convert.ToString(datatable.Rows[0][0]), tbUName.Text, false) == 0 &&
                string.Compare(Convert.ToString(datatable.Rows[0][1]), tbPword.Text, false) == 0)
            {
                Session["loginstatus"] = true;

                if (datatable.Rows[0]["user_type"].ToString() == "admin")
                {
                    Session["regd_no"] = Convert.ToString(updtkitable.Rows[0]["regd_no"]);
                    Response.Redirect("~/aHome.aspx");
                }
                if (datatable.Rows[0]["user_type"].ToString() == "students")
                {
                    Session["regd_no"] = Convert.ToString(updtkitable.Rows[0]["regd_no"]);
                    Response.Redirect("~/RandomPassword.aspx");
                }
                if (datatable.Rows[0]["user_type"].ToString() == "teacher")
                {
                    Session["regd_no"] = Convert.ToString(updtkitable.Rows[0]["regd_no"]);
                    Response.Redirect("~/subMark.aspx");
                }
            }

            else
            {
                lbStatus.Text = "**Login fail. Incorrect UserId or Password.";
            }
        }
        else
        {
            lbStatus.Text = "**Login fail. Incorrect UserId or Password.";
        }



}

AdminMasterPage.cs

protected void Page_Load(object sender, EventArgs e)
{
    Response.Cache.SetNoStore();
    if (Session["loginstatus"] == null)
    {
        Response.Redirect("~/login.aspx");
    }
    else if (!Convert.ToBoolean(Session["loginstatus"]))
    {
        Response.Redirect("~/login.aspx");
    }
    else if (Session["user_type"] != "admin")
    {
        Response.Redirect("~/login.aspx");
    }
user3632667
  • 1
  • If you want to prevent users from accessing specific pages without logging in again, then you shouldn't store a session. Right? – user1477388 May 13 '14 at 13:35

1 Answers1

2

These pages are cached on the client side, so there is nothing you can do from the server side.

Two possible improvements from the client side:

  1. Tell the client to close the browser after logging out
  2. User JavaScript to check the credentials on page-load and navigate to the login-page if they are not valid

The second case has some drawbacks: The page is either visible until the credentials are checked or not visible until after the check if hidden by default even if the user has the appropriat credentials. And he can grab the page content before the JS is executed (or disable JS at all). Meaning this is not really secure.

Christoph Fink
  • 22,727
  • 9
  • 68
  • 113