I'm working on a web application developed classic asp. It has logout button on the top menu which basically does the following actions
Session.Abandon()
Redirect to Index.asp, where users can login again.
After logging off users return to index.asp. But if users click back button the browser, they go to previous page. I don't want this to happen. I want a message saying that they are already logged off.I have implemented following steps
1.Add Response.Expires=-1 and Response.CacheControl="no-cache" at the top of each page.
2.On each page i'm checking session object to see it is not empty. If empty i'm creating a message saying that they are already logged off and need to log in again.
Now when users click back button after logging off, instead off showing logged out message, i get "Web page expired" message on IE8. I see the same behavior when users click back button on some page while logged in.
Any ideas how i can implement this better.
Thanks.
You can't stop users pressing back. A common scenario to work around this is that POSTs target a server page that displays no output but redirects to a new location instead (where the results can be seen).
There are additional non caching declarations that sometimes help:
Response.Expires = 0
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
I did read some time ago (hence inability to find link) that setting an expires to -1 can cause some browser to ignore it rather than have it expire immediately.
Even adding these extra cache controls won't stop some browsers from caching some things some of the time. FF quite often ignores a forced cache reload by the user, so you are in the browser makes hands to a certain extent.
Regarding your "Web page expired" message, this is (as mentioned) the result of the browser trying to stop you from resubmitting POST data (and potentially duplicating what you last did). The best way to get around this, and solve a number of other common UI issues on forms is to POST back to the same page, then if/when the action is completed, using a response.redirect to the same page, maybe with a URL encoded message to say "all done successfully". This allows your users to refresh and helps with the back button issue as most browsers now don't store properly redirected pages in their history.
Related
Here is my Gwt App, I have many pages: CustomerPage, OrderPage,... Each of these pages will have a header that have a Login Panel on top & its own content in the middle like this:
1- Customer Page
____________UserName...... Password....... Login
Customer Content here.....
2- Order Page
____________UserName...... Password....... Login
Order Content here.....
This means user can sign in in any page, they don't need to go to homepage to sign in.
Then here is my question, When user is in a certain page (ex: CustomerPage) & if they Log out then:
1- Should I refresh the whole page or redirect users to a Logout Page, so if they want to reopen the CustomerPage, then the page will have to go through all the Initializing processes (onBind-onReveal-onReset...)
2- Should I just let user stay where they are, and when user clicks logout button then system will reset variables. By doing that, then if user logs back in, the page will run faster cos it doesn't have to go through all the (onBind-onReveal-onReset...). However, if i do that then it quite difficult for me to reset all the variables. I have to remember which variables already initialed at the time the page got loggined & try to reset it to null or empty string. If i miss resetting just 1 variable then i will have trouble.
Some big site like Google or Facebook are using the solution 1, ie when user signs out it will redirect to new page or go back to homepage.
Also If adopting the solution 1, then i just need to call Window.Location.reload(); & it will reset everything. Even user clicks Back Arrow, they won't be able to see the old data since everything was reset.
So:
Is it Good Practice to redirect to a new Page or staying at the same page When user logged out (GWT)?
When users click on a Logout button, they expect that they can walk away from a computer. If you continue to show the same page, someone else might gain access to the data.
The universally accepted approach is to hide all data (i.e. redirect to the login/home page or close the app completely) when a user logs out. That's what users expect, and this is what you must do.
It depends what you've got loaded into the browser. Log in/out via a page refresh will be slower and present lag to your user. If you properly cleanup after yourself on logout (delete server side session, unbind presenters, clear caches) then it is really optional to refresh the page.
The universally accepted approach is to hide all data (i.e. redirect
to the login/home page or close the app completely) when a user logs
out. That's what users expect, and this is what you must do.
If your session management server side prevents any RPC's once you've logged out, and you no longer present/cache data, this is not an absolute necessity. Use digression based on your app needs, size, load time, and the sensitivity of the data it conveys.
I have a very strict requirement to use POST to pass in request parameters to my application upon entry. Once entering the application (page1), entering form information and continuing to the next page (page2) via a commandButton, the expectation is that the data will be posted and later read from a session scoped manage bean. All works well except when using browser back on page2 to navigate back to page1.
I have tried adding a redirect tag on the navigation rule that navigates from page1 to page2 to no avail. I have also tried this implementation of the Post-Get-Redirect pattern (http://balusc.blogspot.com/2007/03/post-redirect-get-pattern.html). Am I missing something obvious here?
Abel, the scope of page1 is request.
The solution we came up with which is no means ideal is to disable browser caching on the previous page. What this means is that whenever you refresh the page using the browser refresh button or click the browser back button, the browser will indicate that the page is expired and prompt a warning asking whether you want to re-submit the request.
We do have a work around which is to provide navigation buttons within the webpage but the idea was to support browser back. This would be easy using GET parameters, but POST provides additional complexity which we have decided to mitigate by by providing our in-house navigation buttons.
I'm using session-based cookies with my website. To my complete surprise, I noticed if I set a session cookie (not a persistent cookie), close a tab, and then reconnect to the site, the session cookies are still there. That's not what I would have expected, actually. I would have expected the session cookies to be deleted.
If you close the browser, a session cookie is deleted, so why not closing a tab to have the same result?
Therefore, I'm using PHP5 and jQuery. Is there anything I can do such that when a tab is closed I can fix this session issue? Unfortunately the onbeforeunload event on the BODY tag is not useful here because when you click away from a page it fires that event, not just closing a tab.
The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes sense. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site.
I'm not aware off hand of any real way around this.
This is by design and trying to change it is a very bad idea. What if a user opens a link in a new tab and closes that? Should the session in the original tab be destroyed? Of course not! This demonstrates why you should not even think about this.
A session ends when the last browser window closes. If you want something else, you:
do not want sessions;
need to make your own "mini-session" infrastructure;
are probably in for a world of hurt and bugs.
Session web storage can be used instead of cookies if you need to depend on tab closure.
You can also write a javascript that detects when a tab is closed and delete the cookie in the javascript
I found a work around.
I'm working in ASP.NET C#. I have a Master Page for all the pages of the site except for the Login page. In the Master Page Sever Page Load event I get the Url of the referring page and check if it contains the root of the the site, if not I redirect to the Login page and since it doesn't have that Master Page it displays.
This works if I try to get to a page from another site or if I enter the Url to the address box of the browser. So if you close the tab and you try to reenter from another tab or reopen the tab, even tho the cookie hasn't been killed you can't reenter the site without going thru Login. This works also even if you haven't closed the tab and your navigating between different sites in the same tab.
This is the code
if (Request.UrlReferrer == null || !Request.UrlReferrer.AbsoluteUri.ToString().Contains("root"))
{
Response.Redirect("~/Account/Login.aspx");
}
When navigating from within the site there's no problem even if you open a link to another page in the site to another tab it opens.
If you want to be additionally sure you can kill the session and authentication cookie in that if clause before redircting to the Login page.
This won't work when a user navigated to another site in the same tab and presses the browsers back to button because that works on cache and doesn't automatically send a request to the server.
So this doesn't kill the session or authentication cookie on closing the tab, but it can help prevent reentering the site without logging in after closing the tab.
I am implementing a web application using ASP .Net and C#. One of the pages has a requirement that it always needs to be fetched from the server, rather than from the local browser cache. I have been able to achieve this.
We have a back button in the application, which simply invokes javascript:history.back() method. The problem is that when the back button is clicked to navigate to the page which is always to be reloaded from the server, the browser displays a "Web page expired message".
The intent here is to force the browser to reload the page rather than display the web page expired message.
Any help would be highly appreciated. Thanks a ton in advance.
You will probably need to change the implementation to make the browser load the URL explicitly:
window.location.href = 'http://....';
instead of invoking the back button, since the intention of the back button is to get the last page from the cache.
(If browsers would not act that way, they would re-send your form data multiple times when using the back button during a registration process or similar.)
You mean you want to control browser behaviour, which is not possible. I doubt you can solve it that way. You could set the expiration time to a small value (1 minute perhaps?) so that the page is still valid if one navigates back quickly.
Greetings,
Here's the problem I'm having. I have a page which redirects directly to another page the first time it is visited. If the user clicks 'back', though, the page behaves differently and instead displays content (tracking session IDs to make sure this is the second time the page has been loaded). To do this, I tell the user's browser to disable caching for the relevant page.
This works well in IE7, but Firefox 3 won't let me click 'back' to a page that resulted in a redirect. I assume it does this to prevent the typical back-->redirect again loop that frustrates so many users. Any ideas for how I may override this behavior?
Alexey
EDIT: The page which we redirect to is an external site over which we have no control. Server-side redirects won't work because this wouldn't generate a 'back' button for in the browser.
To quote:
Some people in the thread are talking about server-side redirect, and redirect headers (same thing)... keep in mind that we need client-side redirection which can be done in two ways:
a) A META header - Not recommended, and has some problems
b) Javascript, which can be done in at least three ways ("location", "location.href" and "location.replace()")
The server side redirect won't and shouldn't activate the back button, and can't display the typical "You'll be redirected now" page... so it's no good (it's what we're doing at the moment, actually.. where you're immediately redirected to the "lucky" page).
I think the Mozilla team takes a step into the right direction by breaking this particularly annoying pattern. Finding a way around it somehow defies the purpose, doesn't it?
Instead of redirecting on first encounter, you could simply make your page render differently when a user hits it the first time. Should be easy enough on the server side, since you already have the code that is able to make that distinction.
You can get around this by creating an iframe and saving the state of the page in a form field in the iframe before doing the redirect. All browsers save the form fields of an iframe.
This page has a really good description of how to get it working. This is the same technique google maps uses when you click on map search results.
I'm strongly in favor for the Firefox behaviour.
The most basic way to redirect is to let the server send HTTP status code 302 + Location header back to the client. This way the client (typically a browser) will not place the request URI into its history, but just resend the same request to the advocated URI.
Now it seems that Firefox started to apply the bevaviour also for server responses that try redirections e.g. by Javascript's onload event.
If you want the browser not to display a page, I think the best solution is if the server does not send the page in the first place.
Its possibly in aide to eliminate repeated actions.
A lot of ways people do things is
page 1 -> [Action] -> page 2 -> redirect to page 2 without the action parameters.
Now if you were permitted to click the back button in this situation and visit the page without the redirect, the action would be blindly re-performed.
Instead, firefox presumes the server sent a redirect header for a good reason.
Although it is noted, that you can however have content delivered after the redirect header, sending a redirect header ( at least in php ) doesn't terminate execution, so in theory, if you were to ingnore the redirect request you would get the page doing weird stuff.
( I circumvent this by the fact all our redirects are done via the same function call, where i call an explicit terminate directly after the redirect, because people when coding assume this is how it behaves )
In the URL window of firefox type about:config
Change this setting in firefox
browser.sessionstore.postdata
Change from a 0 to 1