> In NDV3.1.2 it was only necessary to use 'RemoveSessionID'. I thought the
> ND V4 comparable statement was 'RemoveUserSession'. That's not true?
>
> In ND V4 in order to stop a session you need to take extra steps like
> checking the authentication on every page? I'm not using Security Objects
> to check authentication. My application has a person log in with username
> and pw and a db provides the privs for the current user.
>
I'm not clear why in ND4 I can't handle things the same as I did in
ND3.
Anyone else need to change their 'Exit' or RemoveUserSession
functionality during their migrations? Any input would be helpful.
> thx,
> - marilyn
> -----Original Message-----
> From: Fonarev, Oleg [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, May 11, 1999 4:16 PM
> To: '[EMAIL PROTECTED]'
> Subject: Re: [ND] RemoveUserSession() question...
>
> Removing user session is not enough. You have to make sure that
> there is no
> backdoors to your application. One way to do this is to set
> 'isLoginRequired' property to 'true' for every page that needs
> authentication. You can also do it at the Project level by
> implementing
> project's onBeforeSecurityCheckEvent() and onSessionTimeoutEvent().
> Bellow
> is an example.
>
> Hope this helps.
> Cheers,
> Oleg Fonarev.
>
> *******************************************************************
> private boolean isExpiring = false;
> private String loginPageName = new String("pgLogin");
>
> public int this_onSessionTimeoutEvent(CSpProjectSessionEvent event)
> {
> isExpiring = true;
> return (PROCEED);
> }
>
> public int this_onBeforeSecurityCheckEvent(CSpProjectSecurityEvent
> event)
> {
> // If user session has expired or someone is trying to hack
> into the
> system
> // send to the login page.
> // Otherwise check user's access privileges.
> boolean hasExpired = isExpiring;
> if(isExpiring)
> {
> isExpiring = false;
> }
>
> CSpCommonPage currPage = event.getCurrPage();
> String currPageName = currPage.getName();
>
> // Exclude pages that do not require login.
> if( !currPageName.equals(loginPageName) )
> {
> if( hasExpired )
> {
> CSpCommonPage loginPage =
> CSpider.getCommonPage();
> // Display an error message and load the
> login page
> .....
> loginPage.load();
> return STOP;
> }
> // Check if someone is trying to hack into the
> system.
> // The CMyLogin class extends CSpLogin. An instance
> of
> // this class is created and is saved into user's
> session
> // when the user logs in.
> CMyLogin userLogin = CMyLogin.getLogin();
> if(userLogin == null)
> {
> // A hacker!!!
> CSpLog.send(this, CSpLog.WARNING,
> "Attempt to bypass security!
> Page: "
> +
> currPageName );
> CSpCommonPage loginPage =
> CSpider.getCommonPage();
> // Display a nice error message and load the
> login
> page
> .....
> loginPage.load();
> return STOP;
> }
>
> // Next check whether the user has access to the
> page.
> if( !userLogin.hasAccess(currPageName) )
> {
> // A smart hacker!!!!
> CSpLog.send(this, CSpLog.WARNING,
> "Attempt to bypass security!
> Page: "
> +
> currPageName + "\nUser Id: "
> +
> userLogin.getUserId() );
> // Still display a nice error message.
> // Don't offer to login this time.
> // Don't even try!
> .....
> return STOP;
>
> }
>
> // Add Display Listeners to all page children that
> have
> access restrictions
> ......
> }
>
>
> return PROCEED;
> }
>
> **************************************************************
>
> -----Original Message-----
> From: Beaudreau, Marilyn [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 11, 1999 3:20 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ND] RemoveUserSession() question...
>
>
> I'm using NDV4.x and seem to be having problems with
> RemoveUserSession().
> When the user clicks an Exit button within my application the onBtn
> Event
> invokes RemoveUserSession and then loads a page telling the user
> they are
> now logged out of the application. My problem is, that if the user
> hits the
> browser BACK button he/she still has the capability to use the
> application!
> I'm certain this was working previously. Would the control center
> settings
> have any impact on this?
>
> thx,
> - Marilyn
>
> _________________________________________________________________________
>
> For help in using, subscribing, and unsubscribing to the discussion
> forums, please go to:
> http://www.netdynamics.com/support/visitdevfor.html
>
> For dire need help, email: [EMAIL PROTECTED]
>
> _________________________________________________________________________
>
> For help in using, subscribing, and unsubscribing to the discussion
> forums, please go to:
> http://www.netdynamics.com/support/visitdevfor.html
>
> For dire need help, email: [EMAIL PROTECTED]
_________________________________________________________________________
For help in using, subscribing, and unsubscribing to the discussion
forums, please go to: http://www.netdynamics.com/support/visitdevfor.html
For dire need help, email: [EMAIL PROTECTED]
