Re: [ND] RemoveUserSession() question...

Beaudreau, Marilyn Wed, 12 May 1999 09:38:17 -0700
In NDV3.1.2 it was only necessary to use 'RemoveSessionID'.  I thought the
ND V4 comparable statement was 'RemoveUserSession'.  That's not true?

 In ND V4 in order to stop a session you need to take extra steps like
checking the authentication on every page?

thx,
- marilyn
> -----Original Message-----
> From: Fonarev, Oleg [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, May 11, 1999 4:16 PM
> To:   '[EMAIL PROTECTED]'
> Subject:      Re: [ND] RemoveUserSession() question...
> 
> Removing user session is not enough. You have to make sure that there is
> no
> backdoors to your application. One way to do this is to set
> 'isLoginRequired' property to 'true' for every page that needs
> authentication. You can also do it at the Project level by implementing
> project's onBeforeSecurityCheckEvent() and onSessionTimeoutEvent(). Bellow
> is an example.
> 
> Hope this helps.
> Cheers,
> Oleg Fonarev.
> 
> *******************************************************************
> private boolean isExpiring = false;
> private String loginPageName = new String("pgLogin");
> 
> public int this_onSessionTimeoutEvent(CSpProjectSessionEvent event)
> {
>       isExpiring = true;
>       return (PROCEED);
> }
> 
> public int this_onBeforeSecurityCheckEvent(CSpProjectSecurityEvent event)
> {
>       // If user session has expired or someone is trying to hack into the
> system
>       // send to the login page.
>       // Otherwise check user's access privileges.
>       boolean hasExpired = isExpiring;
>       if(isExpiring)
>       {
>               isExpiring = false;
>       }
>               
>       CSpCommonPage currPage = event.getCurrPage();
>       String currPageName = currPage.getName();
>                               
>       // Exclude pages that do not require login.
>       if( !currPageName.equals(loginPageName) )
>       {
>               if( hasExpired )
>               {
>                       CSpCommonPage loginPage = CSpider.getCommonPage();
>                       // Display an error message and load the login page
>                       .....
>                       loginPage.load();
>                       return STOP;
>               }       
>               // Check if someone is trying to hack into the system.
>               // The CMyLogin class extends CSpLogin. An instance of
>               // this class is created and is saved into user's session 
>               // when the user logs in.
>               CMyLogin userLogin = CMyLogin.getLogin();
>               if(userLogin == null)
>               {
>                       // A hacker!!! 
>                       CSpLog.send(this, CSpLog.WARNING, 
>                                       "Attempt to bypass security! Page: "
> + 
>                                       currPageName  );
>                       CSpCommonPage loginPage = CSpider.getCommonPage();
>                       // Display a nice error message and load the login
> page
>                       .....
>                       loginPage.load();
>                       return STOP;
>               }
>                               
>               // Next check whether the user has access to the page. 
>               if( !userLogin.hasAccess(currPageName) )
>               {
>                       // A smart hacker!!!!
>                       CSpLog.send(this, CSpLog.WARNING, 
>                                       "Attempt to bypass security! Page: "
> +
>                                       currPageName + "\nUser Id: " + 
>                                       userLogin.getUserId() );
>                       // Still display a nice error message. 
>                       // Don't offer to login this time.
>                       // Don't even try!
>                       .....
>                       return STOP;
>                                               
>               }
>                               
>               // Add Display Listeners to all page children that have
> access restrictions
>               ......
>       }
>               
>               
>       return PROCEED;
> }
> 
> **************************************************************
> 
> -----Original Message-----
> From: Beaudreau, Marilyn [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 11, 1999 3:20 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ND] RemoveUserSession() question...
> 
> 
> I'm using NDV4.x and seem to be having problems with RemoveUserSession().
> When the user clicks an Exit button within my application the onBtn Event
> invokes RemoveUserSession and then loads a page telling the user they are
> now logged out of the application.  My problem is, that if the user hits
> the
> browser BACK button he/she still has the capability to use the
> application!
> I'm certain this was working previously.  Would the control center
> settings
> have any impact on this?
> 
> thx,
> - Marilyn
> _________________________________________________________________________
> 
> For help in using, subscribing, and unsubscribing to the discussion
> forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
> 
> For dire need help, email: [EMAIL PROTECTED]
> _________________________________________________________________________
> 
> For help in using, subscribing, and unsubscribing to the discussion
> forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
> 
> For dire need help, email: [EMAIL PROTECTED]
_________________________________________________________________________

For help in using, subscribing, and unsubscribing to the discussion
forums, please go to: http://www.netdynamics.com/support/visitdevfor.html

For dire need help, email: [EMAIL PROTECTED]
Re: [ND] RemoveUserSession() question...

Reply via email to
