Alpha Video Training
Results 1 to 8 of 8

Thread: Log Off

  1. #1
    "Certified" Alphaholic
    Real Name
    Louis Nickerson
    Join Date
    Aug 2002
    Posts
    1,039

    Default Log Off

    Hello All,

    I'm working on my first WAS website...I've learned a lot in the past few days, but something tells me I still have a very long way to go!

    I have created a login page for my website that works exactly like the example given in the "Web_Applications_Demo" database.

    The "log in" part works perfectly.

    Once the user has successfully logged in, they are presented with my Client_Menu.a5w page.

    I have a hyperlink on the Client_Menu.a5w page for the user to log off. This hyperlink is to an a5w page I have created and named "Logoff.a5w"

    Logoff.a5w contains the following code...

    ===========CODE FOLLOWS=======================

    "!doctype html public "-//w3c//dtd html 4.0 transitional//en""
    "head"
    "meta http-equiv=Content-type content="text/html; charset=unicode"""%a5
    if eval_valid("session.FlagIsLoggedIn") = .t. then
    session.FlagIsLoggedIn = .f.
    'session.targetURL = request.request_uri
    response.redirect("home.htm")
    end
    end if
    session.FlagIsLoggedIn = .f.
    %""meta content="MSHTML 6.00.2800.1400" name=GENERATOR""/head"
    "body""/body"
    ======================END OF CODE====================

    Using the a5w_info() function (thanks Lenny), I have confirmed that the value of session.FlagIsLoggedIn is in fact changed from true to false when the user clicks on the "log off" hyperlink, but...

    The user can still navigate to the Client_Menu.a5w page without being redirected to the "Log In" page.

    Where have I screwed this thing up?

    Thanks for any assistance that can be offered,

    Louis

  2. #2
    "Certified" Alphaholic
    Real Name
    Louis Nickerson
    Join Date
    Aug 2002
    Posts
    1,039

    Default RE: Log Off

    Hey,

    Sometimes writing a problem out seems to make resolution easier.

    I just noticed that the code above does not test for the value of the session variable, it simply tests for its existance.

    It seems that the thing I need to do is delete the variable altogether in my "Logoff.a5w" code instead of changing it's value to false.

    If anyone knows if I'm on the right track here and could offer advice on how to delete a session variable using X-Basic, I'd sure appreciate the advice.

    If I've completely missed the boat then someone toss me a life jacket, this anchor is getting heavy!

    Thanks

    Louis

  3. #3
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,680

    Default RE: Log Off

    If you're using the login sample directly from the demo app, the test simple looks to see if the variable exists, not whether or not it is true. So you'll either need to delete the variable in your code above or change the login test to look at the actual value of the variable.

    -Lenny

  4. #4
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,680

    Default RE: Log Off

    To delete a session variable, you just do

    delete session.yourvariable

    Or you can do a session.reset() which deletes all session variables.

    -Lenny

  5. #5
    "Certified" Alphaholic
    Real Name
    Louis Nickerson
    Join Date
    Aug 2002
    Posts
    1,039

    Default RE: Log Off

    Lenny,

    Thanks again!

    Louis

  6. #6
    "Certified" Alphaholic
    Real Name
    Louis Nickerson
    Join Date
    Aug 2002
    Posts
    1,039

    Default RE: Log Off

    Lenny,

    Deleting the session variable did the trick.

    How "secure" is this method of logging in?

    Louis

  7. #7
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,680

    Default RE: Log Off

    It's not very secure at all, I can totally bypass your login by going to:

    http://nickerson.com/yourpage.a5w?session.flagisloggedin=.t.

    This of course means I have to know the name of the session variable you are using. Changing to a more obscure variable name would give you a small improvement

    But if you look through the release notes, you'll see an explanation of "protected" variables that were added to the Web App Server. These variables cannot be created as part of the URL like above.

    -Lenny

  8. #8
    "Certified" Alphaholic
    Real Name
    Louis Nickerson
    Join Date
    Aug 2002
    Posts
    1,039

    Default RE: Log Off

    Lenny,

    Once again, thank you!

    I read up on __protected__ variables and will change my code to take advantage of them...

    Now...

    How secure is my database going to be?

    Thanks Again,

    Louis

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •