Discussion:
logout from db2k app
(too old to reply)
Horacio Echeverria
2008-11-11 22:59:07 UTC
Permalink
Hi,
Does anybody know how to do a logout (or logoff) from a web application to avoid going to the back page and see the last page while I was in session? I guess is like clearing the cache but I would like to have a page response saying that I'm logoff if I try to go back instead of an error page.

Thank you.

PS. My apps are in db2k and are for an intranet
Claus Mygind
2008-11-13 13:04:23 UTC
Permalink
Horacio,

If you want to block the user from going back to the previous page, all you
have to do is navigate to the next page in your script with the javaScript
location.replace( ) method

Here is an example:

location.replace("http://www.megacorp.com/indexDHTML.html");

of course if you are serving this up from the weserver via you dBase app you
would have to put the dBase wrapper around the javaScript statement.

oCGI.fOut.puts([<script type="text/javascript"
language="JavaScript1.2">])
oCGI.fOut.puts([location.replace("http://www.megacorp.com/indexDHTML.html");])
oCGI.fOut.puts([</script>])


Claus
Post by Horacio Echeverria
Hi,
Does anybody know how to do a logout (or logoff) from a web application to
avoid going to the back page and see the last page while I was in session?
I guess is like clearing the cache but I would like to have a page
response saying that I'm logoff if I try to go back instead of an error
page.
Thank you.
PS. My apps are in db2k and are for an intranet
Horacio Echeverria
2008-11-14 17:49:46 UTC
Permalink
Thanks Claus. I will try this solutions and let you know

Horacio
Post by Claus Mygind
Horacio,
If you want to block the user from going back to the previous page, all you
have to do is navigate to the next page in your script with the javaScript
location.replace( ) method
location.replace("http://www.megacorp.com/indexDHTML.html");
of course if you are serving this up from the weserver via you dBase app you
would have to put the dBase wrapper around the javaScript statement.
oCGI.fOut.puts([<script type="text/javascript"
language="JavaScript1.2">])
oCGI.fOut.puts([location.replace("http://www.megacorp.com/indexDHTML.html");])
oCGI.fOut.puts([</script>])
Claus
Post by Horacio Echeverria
Hi,
Does anybody know how to do a logout (or logoff) from a web application to
avoid going to the back page and see the last page while I was in session?
I guess is like clearing the cache but I would like to have a page
response saying that I'm logoff if I try to go back instead of an error
page.
Thank you.
PS. My apps are in db2k and are for an intranet
Horacio Echeverria
2008-11-19 05:21:58 UTC
Permalink
I implemented the location.replace javascript Ckaus suggested and works only with the last page, the one where I click to logout. The problem here is that if I go to the history, I can still go to the pages I was before the last one, (except the last one of course). And if I do a refresh from any of those late pages after I logoff, they can retrive the session as if I'm logged in, without going to the proper login form. I guess this has to do with the cache but the problem also is if I'm in session, I should be able to go back to the last pages visited but when I'm out I should not. I'm stuck!
Horacio
Post by Claus Mygind
Horacio,
If you want to block the user from going back to the previous page, all you
have to do is navigate to the next page in your script with the javaScript
location.replace( ) method
location.replace("http://www.megacorp.com/indexDHTML.html");
of course if you are serving this up from the weserver via you dBase app you
would have to put the dBase wrapper around the javaScript statement.
oCGI.fOut.puts([<script type="text/javascript"
language="JavaScript1.2">])
oCGI.fOut.puts([location.replace("http://www.megacorp.com/indexDHTML.html");])
oCGI.fOut.puts([</script>])
Claus
Post by Horacio Echeverria
Hi,
Does anybody know how to do a logout (or logoff) from a web application to
avoid going to the back page and see the last page while I was in session?
I guess is like clearing the cache but I would like to have a page
response saying that I'm logoff if I try to go back instead of an error
page.
Thank you.
PS. My apps are in db2k and are for an intranet
Horacio Echeverria
2008-11-20 00:50:33 UTC
Permalink
Thanks Ronnie,

Yes, I have been all over the web in search of a real solution and there are some bandaids to try to deal with this. The problem here is that the issue is a client-side problem, and I don't see any server-side application helping in any way to solve it. Some browser work with some of the solutions and some don't. Well, I guess I will try a mix of some of them.

Thank you
On Wed, 19 Nov 2008 00:21:58 -0500
Post by Horacio Echeverria
The problem here is that if I go to the history, I can still go to the pages
I was before the last one, (except the last one of course). And if I do a
refresh from any of those late pages after I logoff, they can retrive the
session as if I'm logged in, without going to the proper login form. I guess
this has to do with the cache but the problem also is if I'm in session, I
should be able to go back to the last pages visited but when I'm out I should
not. I'm stuck!
The problem is actually worse than you describe. With modern tabbed browsers,
and people leaving tabs open between browsing sessions and the browser set to
restore, you can not only close your browser, but also switch off the machine
and guess what .... open up the browser next time and the previous session is
restored allowing you access from where you left off.
This is a huge security concern, and I have spent a significant amount of time
developing a PHP/MySQL to deal with this as well as a host of other security
related issues.
The key to the problem you describe is to ensure a user log in times out after
a pre-defined period of inactivity, but I can tell you that a proper
implementation of this in addition to other features has become an application
in its own right!
--
Ronnie MacGregor
Scotland
Ronnie at
dBASEdeveloper
dot co dot uk
www.dBASEdeveloper.co.uk
Claus Mygind
2008-11-20 14:10:33 UTC
Permalink
Another thought would be a simple table on the server side that stored a
timeStamp every time the user accesses the site. If user exist update
latest access time, else prompt user to login. When user has logged in then
add user with access time to table.

On sever side have small app running all the time that checks current time
on server vs last access time of all users in table. If current time on
server exceeds last timestamp + the expire time (15 min or whatever) delete
user entry. This small app would have a timer in it that runs every 60 sec
(or whatever time interval you desire). If user then tries to do further
activity they would be prompted to login as they have been erased from the
table of current users.

Add logout feature to your web app. If user should click logout, delete
user entry from table.

It is easy to capture user on server side through the environment variables
and you would have a self maintaining table on the server of just current
users. It does not matter if the user has multiple tabs open on the client
computer as you are meassuring their finger print on the server. Everytime
they do a query or post to the server you simply capture them and store
them.
Claus Mygind
2008-11-20 13:53:39 UTC
Permalink
Not being too familiar with this stuff, it would seem that using cookies in
the application would take care of most of the problem. Also setting up a
login script on the server would work.

With the the cookie approach if the user logs out the client side
application you served up would write back to the cookie that the user has
exited. Since the cookie is stored on the client machine any further attempt
to access the site would prompt to please login again. Cookies could also
contain a time out (in activity period) that would automatically expire if
the client app has a timer running in it. That should cover both single and
multiple tab browsers.

On the server side simple log in aunthication should also be able to handle
the process. While we do not use a log out process on our server (Apache)
we do have a log in requirement. We have established various levels of
login. These are automatically reset once every 24hr or if the client
computer is rebooted, the user is prompted to log in again.

Just some thought, don't know if they are helpful

Claus
Post by Horacio Echeverria
Thanks Ronnie,
Yes, I have been all over the web in search of a real solution and there
are some bandaids to try to deal with this. The problem here is that the
issue is a client-side problem, and I don't see any server-side
application helping in any way to solve it. Some browser work with some of
the solutions and some don't. Well, I guess I will try a mix of some of
them.
Thank you
On Wed, 19 Nov 2008 00:21:58 -0500
Post by Horacio Echeverria
The problem here is that if I go to the history, I can still go to the pages
I was before the last one, (except the last one of course). And if I do a
refresh from any of those late pages after I logoff, they can retrive the
session as if I'm logged in, without going to the proper login form. I guess
this has to do with the cache but the problem also is if I'm in session, I
should be able to go back to the last pages visited but when I'm out I should
not. I'm stuck!
The problem is actually worse than you describe. With modern tabbed browsers,
and people leaving tabs open between browsing sessions and the browser set to
restore, you can not only close your browser, but also switch off the machine
and guess what .... open up the browser next time and the previous session is
restored allowing you access from where you left off.
This is a huge security concern, and I have spent a significant amount of time
developing a PHP/MySQL to deal with this as well as a host of other security
related issues.
The key to the problem you describe is to ensure a user log in times out after
a pre-defined period of inactivity, but I can tell you that a proper
implementation of this in addition to other features has become an application
in its own right!
--
Ronnie MacGregor
Scotland
Ronnie at
dBASEdeveloper
dot co dot uk
www.dBASEdeveloper.co.uk
Dan Barbaria
2008-11-19 17:28:21 UTC
Permalink
Post by Horacio Echeverria
The problem here is that if I go to the history, I can still go to the
pages I was before the last one, (except the last one of course). And if I
do a refresh from any of those late pages after I logoff, they can retrive
the session as if I'm logged in, without going to the proper login form. I
guess this has to do with the cache but the problem also is if I'm in
session, I should be able to go back to the last pages visited but when I'm
out I should not. I'm stuck!
I don't know for sure it this will help but I put the following code within
the <Head> </Head> tags of the html.

<META HTTP-EQUIV="Expires" CONTENT="Tue, 04 Dec 1993 21:29:02 GMT">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="no_cache">

Dan Barbaria
Ronnie MacGregor
2008-11-19 19:35:09 UTC
Permalink
On Wed, 19 Nov 2008 00:21:58 -0500
Post by Horacio Echeverria
The problem here is that if I go to the history, I can still go to the pages
I was before the last one, (except the last one of course). And if I do a
refresh from any of those late pages after I logoff, they can retrive the
session as if I'm logged in, without going to the proper login form. I guess
this has to do with the cache but the problem also is if I'm in session, I
should be able to go back to the last pages visited but when I'm out I should
not. I'm stuck!
The problem is actually worse than you describe. With modern tabbed browsers,
and people leaving tabs open between browsing sessions and the browser set to
restore, you can not only close your browser, but also switch off the machine
and guess what .... open up the browser next time and the previous session is
restored allowing you access from where you left off.

This is a huge security concern, and I have spent a significant amount of time
developing a PHP/MySQL to deal with this as well as a host of other security
related issues.

The key to the problem you describe is to ensure a user log in times out after
a pre-defined period of inactivity, but I can tell you that a proper
implementation of this in addition to other features has become an application
in its own right!
--
Ronnie MacGregor
Scotland

Ronnie at
dBASEdeveloper
dot co dot uk

www.dBASEdeveloper.co.uk
Claus Mygind
2008-11-19 15:40:20 UTC
Permalink
Horacio,

You may have to use cookies with a timestamp then to control sessions.
Sorry I do not have a quick example.

Claus
Post by Horacio Echeverria
I implemented the location.replace javascript Ckaus suggested and works
only with the last page, the one where I click to logout. The problem here
is that if I go to the history, I can still go to the pages I was before
the last one, (except the last one of course). And if I do a refresh from
any of those late pages after I logoff, they can retrive the session as if
I'm logged in, without going to the proper login form. I guess this has to
do with the cache but the problem also is if I'm in session, I should be
able to go back to the last pages visited but when I'm out I should not.
I'm stuck!
Horacio
Post by Claus Mygind
Horacio,
If you want to block the user from going back to the previous page, all you
have to do is navigate to the next page in your script with the javaScript
location.replace( ) method
location.replace("http://www.megacorp.com/indexDHTML.html");
of course if you are serving this up from the weserver via you dBase app you
would have to put the dBase wrapper around the javaScript statement.
oCGI.fOut.puts([<script type="text/javascript"
language="JavaScript1.2">])
oCGI.fOut.puts([location.replace("http://www.megacorp.com/indexDHTML.html");])
oCGI.fOut.puts([</script>])
Claus
Post by Horacio Echeverria
Hi,
Does anybody know how to do a logout (or logoff) from a web application to
avoid going to the back page and see the last page while I was in session?
I guess is like clearing the cache but I would like to have a page
response saying that I'm logoff if I try to go back instead of an error
page.
Thank you.
PS. My apps are in db2k and are for an intranet
Loading...