ASP/VBS: Log Out User does not work

Report · Sep 12, 2010

Are you guys aware that the Log Out User server behavior in ASP/VBS (the only I tested) does not work? It is easily defeated by the the back button in the two browsers I tested it in (Opera 10.62 and Firefox 4.0 Beta 3). While this is not an Adobe specific problem (I haven't found any ASP code that works at least for non-https sites), I think the server behavior provides a false sense of security to users so this issue needs to be addressed.

To test this out for yourself follow these steps:

1. Apply Restrict Access to Page SB to a page.

2. Apply Log Out User SB to the same page.

3. Create another page, SetSession.asp, to set the MM_Username session variable and redirect to the supposedly protected page.

If you don't like the sound of # 3 then go ahead an create a login page and then redirect to the protected page.

4. Either use login or the SetSession.asp page in Opera to go to the protected page.

5. Click on the Log Out link.

6. Click on the back button in the browser. It will take you back to the protected pagewhich it should not.

Disable Javascript in Opera, just in case.

Report · Sep 12, 2010

>Are you guys aware that the Log Out User

>server behavior in ASP/VBS (the only I tested)

>does not work?

It works fine for me.

>Click on the back button in the browser.

>It will take you back to the protected pagewhich

>it should not.

Sure it should. Hitting the back button results in the page being displayed from the cache, not the server. If you don't want this behavior you need to investigate methods to disable the browser cache.

In Response To bregent · Sep 12, 2010

> It works fine for me.

Well, congratulations! All it means is that you could not defeat the code but all users may not be that generous. Folks, please don't post that it works for you too. If you have an answer that does not depend on client-side JavaScript please do share it otherwise let some of the people who are more knowledgeable about this issue offer their suggestions.

> Sure it should. Hitting the back button results in the page being displayed from the cache, not the server.

> If you don't want this behavior you need to investigate methods to disable the browser cache.

Listen, I really don't wish to be rude but after spending countless hours scouring the web for an answer my patience is wearing a bit thin. Please, folks, don't detract from the serious intent of this very serious question. As for the previous respondent who perhaps may not be completely familiar with what a secure LogOut is supposed to do, please LogOut of your bank site and see if that lets you view the protected page from cache.