NetTalk Central

Author Topic: Logout wont logout.  (Read 4120 times)

ccordes

  • Sr. Member
  • ****
  • Posts: 384
    • View Profile
    • Email
Logout wont logout.
« on: October 24, 2007, 01:32:50 PM »
If I issue the following code, the session is toast, right?
    p_web.SetSessionLoggedIn(0)
     p_web.deletesession()

This what I do in a logout page which is a form with no fields and a single button that will allow the user to log back in.
My problem is that if I just click the back button, the user is back in business using the same SessionID and login. I had expected to get a page not found error at least.

Thanks,
chris
Real programmers use copy con newapp.exe

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Logout wont logout.
« Reply #1 on: October 24, 2007, 10:27:28 PM »
Hi Chris,

your code is accurate yes - and the person would be "logged out".

Pressing back will trigger a GET or POST to the server, and this GET/POST will obviously have a sessionId (since the original did). So at this point a _new_ session is started, albeit one with the same numebr as before.

At this point the user is still logged out - and a new session is underway.

This is why it's so important to make sure that every window that _requires_ the person to be logged in actually has the "must be logged in" switch set.

It's of course, not just the "back" button that creates the risk here - the user can type in the URL at any time they like, and the same issue applies.

Cheers
Bruce


ccordes

  • Sr. Member
  • ****
  • Posts: 384
    • View Profile
    • Email
Re: Logout wont logout.
« Reply #2 on: October 25, 2007, 05:53:50 AM »
So if the sessionID in the URL doesn't exist, it is created?
But it doesn't maintain the login. And deleting the session clears any other data associated with the id?
 That's good to know.
Thanks.
Real programmers use copy con newapp.exe