hi
let me explain the scenario.
I am developing an application for Online Examination. Once a user logs into the system, he is allowed to start a Test; on clicking start test button the user is redirected to the questions page. Now when the user clicks and confirms ending of the test by a button click then he is redirected to the results page.
Now what I want here is that when the results page is being displayed the user should automatically be logged out of the system and should not be able to go back to the previous pages by pressing the browser's back button.
The problem which I am facing right now is that when the results page is displayed anyone can press the back button and continue the test and manipulate the result. How can I stop this. Need a detailed solution to it.
You will need to disable caching of the pages. When you press the back button, the browser will use the cached version of the page. If you disable caching, when the browser actions the back mechanism, it will determine that the page needs to be fetched again, processing the page with a state where the user is no longer logged in.
Store a session variable like currentQ that holds the ID of the latest question answered. If the user tries to answer a previously answered question, do not accept the answer and instead redirect him to the proper page.
This will also prevent him from using the Back button when he is in the middle of the examination.
You should store the logged-in user in a session or a cookie.
The results page should always check the cookie or session if the user is logged in.
If not the results page will display some feedback message.
The best way you can do is Either use a master page or place a user control on every page.
The MasterPage/UserControl should check for the current session(whether the user is logged in or not). If the Session is available then it should continue, else it should move to login screen. At the result page, you can clear the session value.
Now if a users press the Back button at Results Page, The Page( masterpage or usercontrol) willn't find the session and will redirect the page to Login page.
I hope this will help you.
Related
Which option is better, when you have redirect to other page and user need to be logged in to use it.
With linkbutton you can in onClick event check if user is logged in and then redirect...
With hyperlink you can set navigateUrl and than on other page on page load check if user is logged in, if not redirect to login page...
Which option is better for performance or the right one to use it... In first option you have postback (whole page reload) in second you have only redirects but also load the page_load event if user is not logged in...
The Hyperlink control takes the user directly to the specified location
without posting back to the server.
The LinkButton control first posts the form to the server, then navigates to the URL. If you need to do any server-side processing before going to the target URL, use a LinkButton.
if there is no server-side processing necessary, don't waste a round trip and use the HyperLink control.
So,from your question: Which option is better, when you have redirect to other page and user need to be logged in to use it , seems you want that when user is logged in, then only they should be able to use the page they are redircted to.
So, In case the new page where they are redirected to, Validates the user also, then Go for Hyperlink. In case, the newly redirected page doesn't validates the user, and you require validated user to use the new page, go for LinkButton.
I think the answer to this question lies in the application of the control.
Use a link button when you are working within the page (postbacks), use a hyperlink when you are redirecting the browser.
Ideally the hyperlink would be used in this case as lets assume they are logged in, once you get to the page if their not send them to the login page. Once they login send them back to the page they requested.
Now you may also think about checking if their logged in before even displaying the hyperlink or any other control.
Cheers.
i have one website and i have added it in bookmark.
the situation is:
i opened the browser and website loaded from bookmarked location now the tab1 contains the website next i am logging it now it is in home page.
then i opened new tab but i didnt loaded any site. then i closed the tab1 then i opening the site from bookmark location. here instead of loginpage its directly loading the page which was in tab2.
when i can close the logged in tab then it should ask for login page in next tab
please help me guys how to achieve this
thanks
You need to logged out the user when page is closing.
You can use onbeforeunload event to manually logged out the active user.
Have a look at this article about Save Changes on Close of Browser or When Exiting the Page
Login cookie is shared in same browser tabs (sometimes even in same type of browser).
In other words, if you login in a tab in IE, you do not have to login in different tabs. Login cookie is still valid, and you are automatically login.
However, if you open same page in FireFox or Chrome, you'll still have to login even if you have logged-in in IE.
Updated: Please do not ask user to re-login if a tab is closed and reopen in different tab (in same browser). Even banking websites won't do that. (Of course, user'll need to relogin if the browser is closed.)
I've got a strange one to solve today. A client needs their site to not allow people being logged in, going to a different site, then still being logged in if they hit the back button in their browser.
Simple I thought... until I couldn't find a page event that got fired when the back button was pressed from another site.
I thought of just using JavaScript and working with the referrer object, but this won't achieve my goal as I need to access the .NET Membership system and log the user out of their session.
Has anyone got around this problem? If so, how? Any help would be appreciated, potentially I'm just missing something that I could achieve in the Global.asax? If it helps, I'm using .NET 4.5 / C#.
Reasoning:
Due to, say, if one operator went and left their machine unlocked, visited Google, then another operator went on the same machine maliciously and hit the back button to gain access to that operator's logon (the client is very security cautious)
So you would like to log out user whenever they leave your site? You cah have global javascript that sends a request to a server every minute saying "Hey, server, I'm here! I'm user Joe Blogs, i'm still on the site". If the server does not get this message from a user longer than a minute, log them out.
Overriding back button is just not going to work. What would you do if user opens up another tab/window and goes to google there?
Update:
you can try using .unload() from jquery to catch page leave. And destroy the cookies on that event.
However, when the machine is just left unattended, nothing stop malicious user to go grab the access.
Update 2 you can just set very short session life! if user is inactive (or left the page) - log them out. To prevent possible annoyance for logging out when user looking on the screen for too long (fills in very long form) - make javascript to do regular (every 5 minutes) to a server to a dummy page - to keep the session live while the page is loaded.
Here is the source: Force users to logout when they leave my php website?
There is perhaps a "magical" solution for the problem but the key thing here is in the reasoning: Operator A is not allowed to use the site with the credentials of Operator B.
From a client and server perspective there is no way that the server or client (browser) can tell that persons changed seats at whatever moment in time.
That's the problem you have to solve.
But perhaps implementing face-detection is a little over the top?
If you were designing the site from the ground up you can do this by adding a header to specify that you do not want caching.
Cache-Control: no-cache
Pragma: no-cache
But you would then have to have all your site access through a single page. The page need not be displayed the same and can contain different controls etc, but it's content would be decided by POST parameters rather than through the normal ASP.NET model.
e.g. Default.aspx and to navigate you would POST back at least two parameters. One would be the page to navigate to, and another would be an unpredictable token.
e.g. Token=3Zd2f4O61Z&Page=OrderHistory
Upon each page load you would validate the token and page title combination, and if OK you would display the page and generate new post-back data links for any navigation or actions you would like the user to take at that point. If the user were to try accessing the same page with the old token, it would expire the session and then log out the user. This is the most secure way to do this as then clicking the back button would prompt the user to resubmit their post data again. If OK was clicked, the browser would submit it but the server would recognise that the token was now invalid (as it has already been used, and discarded by the server) and then log out the user.
This method also protects against CSRF as you are validating a token in the payload of each request rather than just checking cookie values.
I know this won't help you unless you can reengineer your site, but I thought I'd add this solution in case anyone lands here with the requirement from the beginning.
You can have a landing page of your site to contain nothing by a JS redirect to reals homepage this way when person hits back button he will go back first to the damy redirecting page that move him back to home page.
But it will be possible to override this if user chooses to skip number of pages at once or just opens another window.
Could you provide further information about why exactly is its needed ? I think in your case, there is a possible solution of may be having a separate Database table or field for marking or flagging such users who have been redirected to another site just treat them as signed off and then once they hit your sites URL you can probably check for the flag and sign them back in, automatically.
JQuery unload() function will solve your problems as wel as the javascript window.onbeforeunload...
I have a logout button on my site that triggers
FormsAuthentication.SignOut()
forcing the need to login again even if one uses the back button on the browser or copy/pastes the URL. However if one closes the tab by the x button of the browser and there's another tab still open, if they copy/paste the URL the page will reopen without logging in. This is a serious security problem. If the browser closed completely by closing all tabs that doesn't happen. How can I prevent returning to the URL after closing the tab even if the browser hasen't been closed completely? Is there a way of catching a javascript OnClose event that will trigger FormsAuthentication.SignOut()? I'm working in asp.net c#.
That's a browser session problem.
A browser session (in fact, the cookie which hold the session id is deleted when the browser is closed) ends only when the browser is closed. It's why you are not logout when you close only one tab without closing the whole browser.
There's no reason to logout the user when he only close a tab. This behavior is not standard on the web and users can be disoriented if you do that.
But nevermind, if you want to do that, you can write a few javascript that drop a popup to warn the user he must logout before leaving. To do that use the unload or onbeforeunload event.
Look at here to see examples :
How to create popup window when browser close
You may use javascript on window onbeforeunload event to make a call to your website and log out the user.
Wait, the user has two tabs open on your site and they click "Logout" in the one, but not in the other? Well, then they haven't really logged out - the session is still active. I see how that can be a problem. But it is not a SECURITY problem, it's just the same user that remains logged in.
Anyway, you can create, for instance, a new session variable that you fill with a value whenever the user logs in, and that you delete when the user logs out. Then in every Page_Load, check this variable, and redirect to the login page if it doesn't exist.
Might be a bit of overkill, but it's all server side and you won't need Javascript to do it.
I have link at my asp.net page. I need to store some data in session before user goes to that link location. Is there any event that I can catch when user going to leave that page?
PS
I can't store that data when user click on link. I need event on leaving page.
The way the web works is stateless. The server is not aware of your user leaving a page. It is only aware of a new request that is coming in, which would happen after the user clicked on a certain link.
If you wanted to store data in the session before that link was clicked, you would have to store it in the session on the previous request when you were generating the page containing the link.
Try using JavaScript to intercept the user before page exit and then in the JS function send an Ajax post to the ASP.net page with the logging details (which would then be put into the user's session object).
Your best hope is to use Javascript events.
You can use the window.onunload or window.onbeforeunload to either fire of an AJAX request or warn the user to save their work before continuing.
Obviously, both of these events are browser dependent and rely on Javascript being switched on.