Session gets overridden on opening a new tab in IE in mvc - asp.net-mvc-3

I have a home page url http://localhost:3443/home1
In the index action of home1 I am having a session["Home"]=Home1.
I am having another home page url http://localhost:3443/home2
There i have a session session["Home"]=Home2.
Now the context is for some user the landing page is home1. So if they click on home button on the menu or or do any such activity they should land into home1.
For another set of users they should land into home 2 for whatever activity they do which leads to the home page.
Now the menu.it is a ascx control
Here we are checking the session value is home1 or home2.
Based on that we are redirecting the user to the desired landing page.
Now the problem that I am facing is when we copy
http://localhost:3443/home1 to another tab e.g. tab2 and from there we change it into home2 and then do some activity. And then come back to tab1, what happens the value gets overridden it taken the home2 session. Which leads to the wrong landing page on click of home link in the menu. Do you have any solutions for this problem?
I hope i have correctly explained the problem if not please let me know,I will explain further.

Session is for the connection which will include both tabs (for example why you can login to stackoverflow on one tab and then if you open a second tab you are still logged in)

As #Skuld mentioned, the session is for user connection to the site so if the user goes to another page he or she is allowed to go they can open this in a new tab keeping the original tab open, if these are form pages you might want to look at 14 AntiForgeryToken. also i noticed you said this happens in IE does this also happen in Chrome? if so you might want to look to see if IE is excepting cookies. you can add roles to the session and then authorize those roles to home1 or home 2 from your controller, you should be authorizing users and roles to pages in your code not within your session. its hard to help any more without any code to look at.
Hope this gets you on the right track.

Related

Xamarin Page Navigation (again)

We're starting on a Xamarin.Forms app, and there are going to be quite a few pages and the navigation between pages will be handled completely by the app - specifically there is no back button, which shouldn't be a problem since we are only planning on releasing for iOS.
The first page the user encounters is the Login page, once logged in they go to the Home page. To perform this transition I just call
LoginPage.Navigation.PushModalAsync(HomePage)
and that's fine.
Now if, on the Home page, they press the Logout button, I could call PopModalAsync(), the problem is that the Logout button exists on all the pages, so the user could have followed a path like this:
Login -> Home -> Create -> Format -> Print -> Logout
and I need to immediately jump to the Login screen.
So on the Home page, if the user presses the Logout button, I tried calling
ApplicationHomePage.Navigation.PushModalAsync(LoginPage);
but got an exception:
System.InvalidOperationException: Page must not already have a parent.
So just for fun I thought I'd try the easy solution:
LoginPage.Parent = null;
ApplicationHomePage.Navigation.PushModalAsync(LoginPage);
I'm never going to have a back button, and the iPad doesn't have one, so the contents of the navigation stacks aren't really important (right?)
Is this method of navigating "legal"? Is it going to cause me some problem I'm not seeing right now?
I think you can take a look to this
You should don't add your login page to a NavigationStack. Change MainPage property is a good solution...

Is it Good Practice to refresh the whole Page or Just reset the variables when user logged out (GWT)?

Here is my Gwt App, I have many pages: CustomerPage, OrderPage,... Each of these pages will have a header that have a Login Panel on top & its own content in the middle like this:
1- Customer Page
____________UserName...... Password....... Login
Customer Content here.....
2- Order Page
____________UserName...... Password....... Login
Order Content here.....
This means user can sign in in any page, they don't need to go to homepage to sign in.
Then here is my question, When user is in a certain page (ex: CustomerPage) & if they Log out then:
1- Should I refresh the whole page or redirect users to a Logout Page, so if they want to reopen the CustomerPage, then the page will have to go through all the Initializing processes (onBind-onReveal-onReset...)
2- Should I just let user stay where they are, and when user clicks logout button then system will reset variables. By doing that, then if user logs back in, the page will run faster cos it doesn't have to go through all the (onBind-onReveal-onReset...). However, if i do that then it quite difficult for me to reset all the variables. I have to remember which variables already initialed at the time the page got loggined & try to reset it to null or empty string. If i miss resetting just 1 variable then i will have trouble.
Some big site like Google or Facebook are using the solution 1, ie when user signs out it will redirect to new page or go back to homepage.
Also If adopting the solution 1, then i just need to call Window.Location.reload(); & it will reset everything. Even user clicks Back Arrow, they won't be able to see the old data since everything was reset.
So:
Is it Good Practice to redirect to a new Page or staying at the same page When user logged out (GWT)?
When users click on a Logout button, they expect that they can walk away from a computer. If you continue to show the same page, someone else might gain access to the data.
The universally accepted approach is to hide all data (i.e. redirect to the login/home page or close the app completely) when a user logs out. That's what users expect, and this is what you must do.
It depends what you've got loaded into the browser. Log in/out via a page refresh will be slower and present lag to your user. If you properly cleanup after yourself on logout (delete server side session, unbind presenters, clear caches) then it is really optional to refresh the page.
The universally accepted approach is to hide all data (i.e. redirect
to the login/home page or close the app completely) when a user logs
out. That's what users expect, and this is what you must do.
If your session management server side prevents any RPC's once you've logged out, and you no longer present/cache data, this is not an absolute necessity. Use digression based on your app needs, size, load time, and the sensitivity of the data it conveys.

How to track seperate sessions initiated by the same user/browser

I have a web application which a user can enter from a number of different pages and follow a number of different paths through the application. I want to be able to add a back to start button to each page which the user can click to take them back to the page they entered the application at.
Currently the user is authenticated by cookie, so I can see what page the cookie is generated on store this and use the link for the back button. However, it is common for a user to open multiple tabs with the application in and enter through multiple entry pages and I want each tab to be able to direct the user back to the correct entry page.
I.e. the user enter the application at page 1 then browses to page 2 - the back button should link to page 1
The user then open another tab at page 3 and browses to page 4 - the back button here should link to page 3.
At this point if the user goes back to tab 1 and browses to page 5 the back button should still link to page 1 here and the back button in the other browser should link to page 3.
The only way I can think of to do this is store the session ID in the get/post request and pass it on every page - can anyone else think of an easier or more elegant solution?
Thanks,
Tom
Look at the documentation for $_SERVER['HTTP_REFERER']
Problem: if he is redirected from google...
Plus:you can hardcode a function that checks the domain :-)

Classic ASP Logout Process

I'm working on a web application developed classic asp. It has logout button on the top menu which basically does the following actions
Session.Abandon()
Redirect to Index.asp, where users can login again.
After logging off users return to index.asp. But if users click back button the browser, they go to previous page. I don't want this to happen. I want a message saying that they are already logged off.I have implemented following steps
1.Add Response.Expires=-1 and Response.CacheControl="no-cache" at the top of each page.
2.On each page i'm checking session object to see it is not empty. If empty i'm creating a message saying that they are already logged off and need to log in again.
Now when users click back button after logging off, instead off showing logged out message, i get "Web page expired" message on IE8. I see the same behavior when users click back button on some page while logged in.
Any ideas how i can implement this better.
Thanks.
You can't stop users pressing back. A common scenario to work around this is that POSTs target a server page that displays no output but redirects to a new location instead (where the results can be seen).
There are additional non caching declarations that sometimes help:
Response.Expires = 0
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
I did read some time ago (hence inability to find link) that setting an expires to -1 can cause some browser to ignore it rather than have it expire immediately.
Even adding these extra cache controls won't stop some browsers from caching some things some of the time. FF quite often ignores a forced cache reload by the user, so you are in the browser makes hands to a certain extent.
Regarding your "Web page expired" message, this is (as mentioned) the result of the browser trying to stop you from resubmitting POST data (and potentially duplicating what you last did). The best way to get around this, and solve a number of other common UI issues on forms is to POST back to the same page, then if/when the action is completed, using a response.redirect to the same page, maybe with a URL encoded message to say "all done successfully". This allows your users to refresh and helps with the back button issue as most browsers now don't store properly redirected pages in their history.

Why Doesn't Closing A Tab Delete A Session Cookie?

I'm using session-based cookies with my website. To my complete surprise, I noticed if I set a session cookie (not a persistent cookie), close a tab, and then reconnect to the site, the session cookies are still there. That's not what I would have expected, actually. I would have expected the session cookies to be deleted.
If you close the browser, a session cookie is deleted, so why not closing a tab to have the same result?
Therefore, I'm using PHP5 and jQuery. Is there anything I can do such that when a tab is closed I can fix this session issue? Unfortunately the onbeforeunload event on the BODY tag is not useful here because when you click away from a page it fires that event, not just closing a tab.
The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes sense. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site.
I'm not aware off hand of any real way around this.
This is by design and trying to change it is a very bad idea. What if a user opens a link in a new tab and closes that? Should the session in the original tab be destroyed? Of course not! This demonstrates why you should not even think about this.
A session ends when the last browser window closes. If you want something else, you:
do not want sessions;
need to make your own "mini-session" infrastructure;
are probably in for a world of hurt and bugs.
Session web storage can be used instead of cookies if you need to depend on tab closure.
You can also write a javascript that detects when a tab is closed and delete the cookie in the javascript
I found a work around.
I'm working in ASP.NET C#. I have a Master Page for all the pages of the site except for the Login page. In the Master Page Sever Page Load event I get the Url of the referring page and check if it contains the root of the the site, if not I redirect to the Login page and since it doesn't have that Master Page it displays.
This works if I try to get to a page from another site or if I enter the Url to the address box of the browser. So if you close the tab and you try to reenter from another tab or reopen the tab, even tho the cookie hasn't been killed you can't reenter the site without going thru Login. This works also even if you haven't closed the tab and your navigating between different sites in the same tab.
This is the code
if (Request.UrlReferrer == null || !Request.UrlReferrer.AbsoluteUri.ToString().Contains("root"))
{
Response.Redirect("~/Account/Login.aspx");
}
When navigating from within the site there's no problem even if you open a link to another page in the site to another tab it opens.
If you want to be additionally sure you can kill the session and authentication cookie in that if clause before redircting to the Login page.
This won't work when a user navigated to another site in the same tab and presses the browsers back to button because that works on cache and doesn't automatically send a request to the server.
So this doesn't kill the session or authentication cookie on closing the tab, but it can help prevent reentering the site without logging in after closing the tab.

Resources