ASP/VBS: Log Out User does not work

Question

Are you guys aware that the Log Out User server behavior in ASP/VBS (the only I tested) does not work? It is easily defeated by the the back button in the two browsers I tested it in (Opera 10.62 and Firefox 4.0 Beta 3). While this is not an Adobe specific problem (I haven't found any ASP code that works at least for non-https sites), I think the server behavior provides a false sense of security to users so this issue needs to be addressed.

To test this out for yourself follow these steps:

1. Apply Restrict Access to Page SB to a page.

2. Apply Log Out User SB to the same page.

3. Create another page, SetSession.asp, to set the MM_Username session variable and redirect to the supposedly protected page.

If you don't like the sound of # 3 then go ahead an create a login page and then redirect to the protected page.

4. Either use login or the SetSession.asp page in Opera to go to the protected page.

5. Click on the Log Out link.

6. Click on the back button in the browser. It will take you back to the protected pagewhich it should not.

Disable Javascript in Opera, just in case.

bregent · Answer

>Are you guys aware that the Log Out User

>server behavior in ASP/VBS (the only I tested)

>does not work?

It works fine for me.

>Click on the back button in the browser.

>It will take you back to the protected pagewhich

>it should not.

Sure it should. Hitting the back button results in the page being displayed from the cache, not the server. If you don't want this behavior you need to investigate methods to disable the browser cache.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded