Removing user session is not enough. You have to make sure that there is no
backdoors to your application. One way to do this is to set
'isLoginRequired' property to 'true' for every page that needs
authentication. You can also do it at the Project level by implementing
project's onBeforeSecurityCheckEvent() and onSessionTimeoutEvent(). Bellow
is an example.
Hope this helps.
Cheers,
Oleg Fonarev.
*******************************************************************
private boolean isExpiring = false;
private String loginPageName = new String("pgLogin");
public int this_onSessionTimeoutEvent(CSpProjectSessionEvent event)
{
isExpiring = true;
return (PROCEED);
}
public int this_onBeforeSecurityCheckEvent(CSpProjectSecurityEvent event)
{
// If user session has expired or someone is trying to hack into the
system
// send to the login page.
// Otherwise check user's access privileges.
boolean hasExpired = isExpiring;
if(isExpiring)
{
isExpiring = false;
}
CSpCommonPage currPage = event.getCurrPage();
String currPageName = currPage.getName();
// Exclude pages that do not require login.
if( !currPageName.equals(loginPageName) )
{
if( hasExpired )
{
CSpCommonPage loginPage = CSpider.getCommonPage();
// Display an error message and load the login page
.....
loginPage.load();
return STOP;
}
// Check if someone is trying to hack into the system.
// The CMyLogin class extends CSpLogin. An instance of
// this class is created and is saved into user's session
// when the user logs in.
CMyLogin userLogin = CMyLogin.getLogin();
if(userLogin == null)
{
// A hacker!!!
CSpLog.send(this, CSpLog.WARNING,
"Attempt to bypass security! Page: "
+
currPageName );
CSpCommonPage loginPage = CSpider.getCommonPage();
// Display a nice error message and load the login
page
.....
loginPage.load();
return STOP;
}
// Next check whether the user has access to the page.
if( !userLogin.hasAccess(currPageName) )
{
// A smart hacker!!!!
CSpLog.send(this, CSpLog.WARNING,
"Attempt to bypass security! Page: "
+
currPageName + "\nUser Id: " +
userLogin.getUserId() );
// Still display a nice error message.
// Don't offer to login this time.
// Don't even try!
.....
return STOP;
}
// Add Display Listeners to all page children that have
access restrictions
......
}
return PROCEED;
}
**************************************************************
-----Original Message-----
From: Beaudreau, Marilyn [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 11, 1999 3:20 PM
To: '[EMAIL PROTECTED]'
Subject: [ND] RemoveUserSession() question...
I'm using NDV4.x and seem to be having problems with RemoveUserSession().
When the user clicks an Exit button within my application the onBtn Event
invokes RemoveUserSession and then loads a page telling the user they are
now logged out of the application. My problem is, that if the user hits the
browser BACK button he/she still has the capability to use the application!
I'm certain this was working previously. Would the control center settings
have any impact on this?
thx,
- Marilyn
_________________________________________________________________________
For help in using, subscribing, and unsubscribing to the discussion
forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
For dire need help, email: [EMAIL PROTECTED]
_________________________________________________________________________
For help in using, subscribing, and unsubscribing to the discussion
forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
For dire need help, email: [EMAIL PROTECTED]
