I have a problem with my page, when I close the session I destroy the session variables, if I return to the previous page with the browser's arrow it shows my "menu" page that already has the validation that it does not enter if the session variables are empty ( that is the problem I have), I have verified that when I update my "menu" page it immediately does what I want to go to the login page, I am working with design and content web pages (similar to master pages) in vb.net
If Not Page.ispostback Then
If Session("nombre") Is Nothing And Session("numero") Is Nothing Then
Response.Redirect("~/Index.aspx")
Else
PageData("Title") = "Escriba el título aquí"
Layout = "_Layout.vbhtml"
End If
End If
It seems to me that the problem is that you are not correctly removing the session variables.
Make sure to remove the variables:
To remove all:
After doing this you will find that the variables are removed correctly:
Make sure the class used is
HttpContext.Current.Session
.What I would advise is that you don't use the Session object to implement security on your website, you should use asp.net security
here
Login – Using Password with Hash
I explain how you could do it
As a first step defend the
web.config
You authenticate using
To perform a logoff you would use
It's that simple, this redirects to the login and will not let you enter another page if you are not authenticated.
Using
Session
for security is a bad ideaI think what is happening is that the browser is caching your menu page. This would mean that, when closing the session and returning to the previous page, the browser does not make a request to the server and is showing the version that it has cached.
You could check this by opening the browser's development tools and checking the network requests for the response headers that tell the browser if the page is cacheable and how.
If you look at the image corresponding to a request to SO you will see how the headers are indicating that it should not be cached
To make your page uncached you must add this code to your page (for example in the
Page_Init
) (code obtained from this SO answer in English)By the way, I agree with Leandro Tuttini that you shouldn't use session variables, much less to implement security.