The point is that ND automatically creates a new user session if it doesn't
find the session id. So, if the user hits the browser's back button and
tries to reload the same page, ND delivers the page with a new session id.
Unless you somehow force all users (= user sessions) to go through a login
process, there will always be security holes in your application.
Oleg Fonarev.
-----Original Message-----
From: Beaudreau, Marilyn [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 12, 1999 11:13 AM
To: '[EMAIL PROTECTED]'
Subject: Re: [ND] RemoveUserSession() question...
In NDV3.1.2 it was only necessary to use 'RemoveSessionID'. I thought the
ND V4 comparable statement was 'RemoveUserSession'. That's not true?
In ND V4 in order to stop a session you need to take extra steps like
checking the authentication on every page?
thx,
- marilyn
> -----Original Message-----
> From: Fonarev, Oleg [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, May 11, 1999 4:16 PM
> To: '[EMAIL PROTECTED]'
> Subject: Re: [ND] RemoveUserSession() question...
>
> Removing user session is not enough. You have to make sure that there is
> no
> backdoors to your application. One way to do this is to set
> 'isLoginRequired' property to 'true' for every page that needs
> authentication. You can also do it at the Project level by implementing
> project's onBeforeSecurityCheckEvent() and onSessionTimeoutEvent(). Bellow
> is an example.
>
> Hope this helps.
> Cheers,
> Oleg Fonarev.
>
> *******************************************************************
> private boolean isExpiring = false;
> private String loginPageName = new String("pgLogin");
>
> public int this_onSessionTimeoutEvent(CSpProjectSessionEvent event)
> {
> isExpiring = true;
> return (PROCEED);
> }
>
> public int this_onBeforeSecurityCheckEvent(CSpProjectSecurityEvent event)
> {
> // If user session has expired or someone is trying to hack into the
> system
> // send to the login page.
> // Otherwise check user's access privileges.
> boolean hasExpired = isExpiring;
> if(isExpiring)
> {
> isExpiring = false;
> }
>
> CSpCommonPage currPage = event.getCurrPage();
> String currPageName = currPage.getName();
>
> // Exclude pages that do not require login.
> if( !currPageName.equals(loginPageName) )
> {
> if( hasExpired )
> {
> CSpCommonPage loginPage = CSpider.getCommonPage();
> // Display an error message and load the login page
> .....
> loginPage.load();
> return STOP;
> }
> // Check if someone is trying to hack into the system.
> // The CMyLogin class extends CSpLogin. An instance of
> // this class is created and is saved into user's session
> // when the user logs in.
> CMyLogin userLogin = CMyLogin.getLogin();
> if(userLogin == null)
> {
> // A hacker!!!
> CSpLog.send(this, CSpLog.WARNING,
> "Attempt to bypass security! Page: "
> +
> currPageName );
> CSpCommonPage loginPage = CSpider.getCommonPage();
> // Display a nice error message and load the login
> page
> .....
> loginPage.load();
> return STOP;
> }
>
> // Next check whether the user has access to the page.
> if( !userLogin.hasAccess(currPageName) )
> {
> // A smart hacker!!!!
> CSpLog.send(this, CSpLog.WARNING,
> "Attempt to bypass security! Page: "
> +
> currPageName + "\nUser Id: " +
> userLogin.getUserId() );
> // Still display a nice error message.
> // Don't offer to login this time.
> // Don't even try!
> .....
> return STOP;
>
> }
>
> // Add Display Listeners to all page children that have
> access restrictions
> ......
> }
>
>
> return PROCEED;
> }
>
> **************************************************************
>
> -----Original Message-----
> From: Beaudreau, Marilyn [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 11, 1999 3:20 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ND] RemoveUserSession() question...
>
>
> I'm using NDV4.x and seem to be having problems with RemoveUserSession().
> When the user clicks an Exit button within my application the onBtn Event
> invokes RemoveUserSession and then loads a page telling the user they are
> now logged out of the application. My problem is, that if the user hits
> the
> browser BACK button he/she still has the capability to use the
> application!
> I'm certain this was working previously. Would the control center
> settings
> have any impact on this?
>
> thx,
> - Marilyn
> _________________________________________________________________________
>
> For help in using, subscribing, and unsubscribing to the discussion
> forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
>
> For dire need help, email: [EMAIL PROTECTED]
> _________________________________________________________________________
>
> For help in using, subscribing, and unsubscribing to the discussion
> forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
>
> For dire need help, email: [EMAIL PROTECTED]
_________________________________________________________________________
For help in using, subscribing, and unsubscribing to the discussion
forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
For dire need help, email: [EMAIL PROTECTED]
_________________________________________________________________________
For help in using, subscribing, and unsubscribing to the discussion
forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
For dire need help, email: [EMAIL PROTECTED]
