I'm struggling here on getting some of my pages 100% secure. I have made a loginpage in DWMX where user information is based on an Access database. My members are redirected to their own page on the server and I have made a logout link where my members can log out after their session.

My problem is that after they have logged out, they can just use the back-button on the browser and they are back in again!! Allthough I have restricted the page!

Any clues? <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>

Hi Sarre,

You need to add an access level column to your db.

Modify your Login User server behaviour to include the access level data then add a Restrict Access to Page server behaviour.

Hope this helps

Digga

Sharing Knowledge Saves Valuable Time!!!

Hi Digga!

I tried your suggestion, but I got error-message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] The LEVEL clause includes a
reserved word or argument that is misspelled or missing, or the punctuation
is incorrect.

/login.asp, line 23

Below is a copy of my page (login.asp)

&lt;%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%&gt;
&lt;!--#include file="Connections/server.asp" --&gt;
&lt;%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL"
If Request.QueryString&lt;&gt;"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("brukerfield")
If MM_valUsername &lt;&gt; "" Then
MM_fldDynamicRedirect="redirect"
MM_fldUserAuthorization="access level"
MM_redirectLoginSuccessDynamic=""
MM_redirectLoginFailed="login_feil.asp"
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_flag)
MM_rsUser.ActiveConnection = MM_server_STRING
MM_rsUser.Source = "SELECT brukernavn, passord"
If MM_fldDynamicRedirect &lt;&gt; "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldDynamicRedirect
If MM_fldUserAuthorization &lt;&gt; "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM logintabell WHERE brukernavn='" & Replace(MM_valUsername,"'","''" &"' AND passord='" & Replace(Request.Form("passfield","'","''" & "'"
MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username" = MM_valUsername
If (MM_fldUserAuthorization &lt;&gt; "" Then
Session("MM_UserAuthorization" = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
ElseIf (MM_fldDynamicRedirect &lt;&gt; "" Then
MM_redirectLoginSuccessDynamic = CStr(MM_rsUser.Fields.Item(MM_fldDynamicRedirect).Value)
Else
Session("MM_UserAuthorization" = ""
End If
if CStr(Request.QueryString("accessdenied") &lt;&gt; "" And false Then
MM_redirectLoginSuccessDynamic = Request.QueryString("accessdenied"
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccessDynamic)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If

Appreciate your time and support <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
Sarre

you might be using a restricted word.

try naming the field something like:

LvlSecurity

Regards
Vince

Visit my home: www.chez-vince.com

VBScript | ASP | HTML | SQL | Oracle | Hosting

Sarre,

Just a thought - the problem may simply be that you have not specified for your asp pages not to be cached by your browser. If this is the case, the pressing the back button will allow reload the page without the server processing it.

The following code snippet should be included in at the beginning of your page:

&lt;%
Response.Expires=-1000
Response.CacheControl="no-cache"
%&gt;

Hope this helps,
Matthew Maguire

Thank You mattymaguire!

Your tip worked like a charm, access was denied when I hit the back-button after logging out.

Thank you! <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>

I am having a very similar problem. My access restrictions are working (to an extent). If I log in, I can access pages that require logging in. If I click the logout button, I get the confirmation that I have logged out, page redirects, and I can click back to access the restricted page. I have added the code that you listed above, and it helps, but not perfectly. If I click back, the page will still load, but if I click refresh, I get my "access denied" page. Is there any way to prevent the session from carrying through a "back" click?

Before adding the code, even a refresh would keep the session active after a logout. Now, at least the refresh button shows the access denied, but the browser "back" button still allows the page to be loaded.

Any suggestions would be greatly appreciated.