NetTalk Central

Author Topic: Safe logout  (Read 4005 times)

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Safe logout
« on: May 17, 2010, 10:05:19 AM »
Hallo,


I read all posts about logout and it doesn't solve my problem. I use frames in my app. After I logout I call the login window. Now if I press the Back button  I could work again... How can I reset the session id ? to make like a fresh login....

when I call the login form I put this code on Generate Form and nothing happen :-(

p_web.SetSessionLoggedIn(0)
p_web.DeleteSession()
p_web.NewSession()

Any ideas ?

Thank you,
Robert

kevin plummer

  • Hero Member
  • *****
  • Posts: 1195
    • View Profile
    • Production Accounting and Software Payroll
Re: Safe logout
« Reply #1 on: May 17, 2010, 03:11:16 PM »
Have you ticked the check box on all procedures (except the login) that the user must be logged in?

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Re: Safe logout
« Reply #2 on: May 17, 2010, 09:45:32 PM »
Hallo Kevin,

Yes, all procedures has ticked the options "user must be logged in" .

After I logout I can go back and work without any problems.... I test also with example "Frame With Menu (4)" and the same...


Robert

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Safe logout
« Reply #3 on: May 17, 2010, 11:22:34 PM »
Hi Robert,

Ok, there are a few bases to be covered here. It's possible to miss one, or indeed it's possible to mis-interpret what is happening.

Firstly - The status of "logged in" or "logged out" are unrelated to the session queue. In other words logging in, or out, does not affect the state of the variables in the session queue.
So you are correct, if you want to force the session to be deleted, then you can do the
p_web.DeleteSession()
p_web.NewSession()
calls.
Note that NewSession will not necessarily change the session number, that's irrelevant - rather it is the variables inside the session that are deleted.

Now for the complication when you hit the "back" button. The different browsers behave slightly differently here. Some, for example, do not query the server at all, they simply display something they've cached along the way. If that something is the login screen, then often they'll "helpfully" fill in all the fields for you. Others will redo the actual POST complete with login and password etc.

On your side there are a number of ways of dealing with this. One is demonstrated in example 3 - which is the addition of a "hash value" to the login screen. The logic is simple - when the form is generated a session value ('hashvalue') is declared with a random number. When the user logs in this value is cleared. During the login, this value is checked as part of the login validation (before the session value is cleared). This technique prevents the same login form from being posted twice.

Of course, user education is a wonderful thing, and this applies to _all_ sites you log into, not just NetTalk ones. If you are ever using a public machine to access a site protected by a password you should always;
a) make sure you click the logout button if the site provides one
b) clear the browsing history from the browser (especially clearing cookies) and
c) Close the browser before leaving the machine.

Cheers
Bruce

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Re: Safe logout
« Reply #4 on: May 18, 2010, 01:53:56 AM »
Hallo Bruce,

Works Perfect !
Nice example (3) with the hash value :-)

Thank you very much.
Robert