Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook
Devcon 2020 Goes Virtual! LEARN MORE >

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Log out of APP

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    Log out of APP

    Hi:

    I have an applicatino that uses some basic security to log in. After the user submits I would like to implement a log off function that eliminates everything connected to the previous session. Once the logout is complete any attempt to go back via the browser would send the user to the login page. Any inspiriation would be appreciated.

    Steve
    Tags: None
    #2
    RE: Log out of APP

    Use
    session.reset()
    to remove all session variables you created, and then
    response.redirect("your_login_page.a5w")

    However, you *cannot* block the "back" button of the browser. That's a function of the browser. What you *can* do is prevent the user from doing anything new on those pages, with something like this:
    if eval_valid("session.__protected__isLoggedIn")=.f. then
    response.redirect("your_login_page.a5w")
    end if

    Put that at the beginning of every page, and of course, your_login_page.a5w has to create the session variable,
    session.__protected__isLoggedIn. The simplest approach is to create an .a5w page that just contains the if..end if statement above, called it logintest.a5w, and then put
    a5w_include("logintest.a5w")
    at the beginning of each of your a5w pages.



    - Peter

    Comment

      #3
      RE: Log out of APP

      Thanks Peter I will give it a shot. My app is relatively simple in terms of pages invovled. I have played with a small javascript that very effectively blocks the use of the go back key on the one critical page. Of course, you are then relying on javascript.

      Comment

        #4
        RE: Log out of APP

        Peter:

        I recently implemented this scheme exactly as you have suggested. Here is what I am seeing. I have the user submit records. THis takes them to a page where they logout. This page does a session reset. If you then enter the web address of the page that contained the records and re-submit you receive an error from the logout page about a session variable not being found. THis is OK since I rest them. However, the first piece of code on the page calls the routine you suggested to check for the existence of the session variable. I would assume that since the variable no longer lives my application would re-direct to the login page. It appears to process the logout page and runs into the expected session variable error. Here is the code that is included on each page via the a5w_include function. If I try to load this page without entering through the login page it does at I would expect. What I am trying to accomplish is to portect a page from being re-submitted after the user has logged out. Thanks for any insight.

        "!doctype html public "-//w3c//dtd html 4.0 transitional//en""
        "head"
        "meta http-equiv=Content-type content="text/html; charset=unicode"""%a5
        if eval_valid("session.__protected__user_is_in")=.f. then
        response.redirect("index.a5w")
        end if

        %"
        "meta content="MSHTML 6.00.2800.1491" name=GENERATOR""/head"
        "body""/body"

        Comment

          #5
          RE: Log out of APP

          ""If you then enter the web address of the page that contained the records and re-submit you receive an error from the logout page about a session variable not being found. THis is OK since I reset them. However, the first piece of code on the page calls the routine you suggested to check for the existence of the session variable. I would assume that since the variable no longer lives my application would re-direct to the login page""

          Steve,
          What is happening here (I think) is that the browser is re-loading the logout page through its cache. It's not loading it from the server. So the server doesn't get a chance to execute the session-checking code you want it to execute, and instead your page fails later on when you presumably are trying to post some data and the server is now contacted.
          If you want to get very fancy, your .a5w login page can create a cookie. The logout script could delete the cookie. Your pages could include javascript to test for the presence of the cookie in the onload() event of the page's body. I don't know if that would work, because I don't know whether the onload() event fires when a page is reloaded from cache. It's a bit of effort and, of course, it means that the user has to enable javascript. Depending on your application, though, you can tell users that they have to enable javascript.
          You can also tell your users to set their browser preferences to erase the cache each time they exit the browser, and remind them to exit the browser with your logout.

          Comment

            #6
            RE: Log out of APP

            Peter

            I use a logon scheme that uses a session cookie. It works very smoothly. I also uses a logon table. When a user logs on, the session cookie is set with a unique browserid and the same value is saved in the logon table, along with other usewr data. Every page has code to check for the existence of the cookie. If it is missing, the user is redirected to the logon table. If it exists, the code tests the logon table for a match. If there is a match, other values are sent to the page as needed. If the cookie exists, but the id doesn't match any in the table, the user get redirected to the logon. The logon clears the current browserid in the logon table if it exists.

            If you look at the scheduler demo on Alpha, that uses that method

            Jerry

            Comment

              #7
              RE: Log out of APP

              Jerry,
              I know I'm going in the right direction when I see your tracks ahead of me!
              - Peter

              Comment

                #8
                RE: Log out of APP

                Thank you gentlemen. I will take a look at these suggestions. WHile my application is relatively simple, I do not want a situation where a screen of sensitve student data can been seen. I may be back from some assistance as I implement. THanks again Jerry and Peter.

                Steve

                Comment

                  #9
                  RE: Log out of APP

                  RE: I would assume that since the variable no longer lives my application would re-direct to the login page. It appears to process the logout page and runs into the expected session variable error.

                  Although I don't pretend to be an expert on HTML - Jerry and Peter are probably far ahead of me - I've seen the same thing and it has been my opinion that the redirect command does not stop the xbasic program execution. After all, there is an xbasic program in there and most xbasic routines don't stop unless they reach an END statement or just run out of script.

                  So, (maybe you saw this coming by now) my solution has been to add an END statement after the redirect BUT be sure to close any open tables before executing the END statement!

                  I can also imagine that there are some situations where you would want to allow the routine to continue in order to set other session variables. It doesn't seem to hurt anything to allow it to continue except in situations like yours where an error results due to removing variables.

                  I'd also be concerned that your error might be stopping the xbasic in that script and there might be some tables left open - all depends on how your app is set up.

                  Cal Locklin
                  www.aimsdc.net

                  Comment

                    #10
                    RE: Log out of APP

                    Steve,

                    I don't know nearly as much as the other responders, but I've come up with this code that I put at the top of each page. (I don't use the "include" statement because I worry about someone being able to overwrite my included page with one of their own and bypass my testing.)

                    '------------- check for valid login ---------------
                    if (eval_valid("session.vsSafety")=.f.).or.(eval_valid("session.vsUs_Id")=.f.)
                    response.redirect("login.a5w")
                    end
                    else
                    Dim vSafety as C
                    vSafety=lookup("[PathAlias.ADB_Path]\users.dbf","us_id="+quote(session.vsUs_Id),"Us_UserKey")
                    if session.vsSafety""vSafety
                    response.redirect("login.a5w")
                    end
                    end if
                    end if
                    '------------- end login check --------------------

                    In my users table, I have a calculated field that combines the user name with the password in a tricky way. This field is Us_UserKey. When the user signs on, I do the same calculation and stick that in the session variable session.vsSafety. That way, if my logic is correct, the hacker would need to know a valid logon password combination to get around the redirecton.

                    By the way, I also have the system.reset as the first thing on the login page, but obviously don't put this test on that page to avoid the eror.

                    Pat
                    Pat Bremkamp
                    MindKicks Consulting

                    Comment

                      #11
                      RE: Log out of APP

                      Some interesting things to note. Before I change anything I tried some tests and come up with the following. When I test my site under the local webroot it works as I would expect. If I try to navigate to a page after logout I am redirected to the login page. Yet, the same application running on Alpha5host and on a local LAN returns the session variable error as if the include code was not executed. Working with Peter's suggestion that I was picking up a cached copy - I disabled all cache in my browser and still received the same error. I am intrigued as to why this works under the loca webroot by no where else. I certainly appreciate all your suggestions and will certainly implement one of them but I like to know why something is working or not before moving ahead. Thanks again.

                      Steve

                      Comment

                        #12
                        RE: Log out of APP

                        Steve,

                        Have you looked at the path structure? Also, are other a5w pages executing properly using include files outside of your local host? Just some thoughts.

                        Good luck
                        Cheryl
                        Cheryl
                        #1 Designs By Pagecrazy
                        http://pagecrazy.com/

                        Comment

                          #13
                          RE: Log out of APP-UPDATE

                          Today was a learning day not a very productive one however. I solved the mystery. When I changed the first line of my aw5 pages from

                          "Head"

                          to:

                          "!doctype html public "-//w3c//dtd html 4.0 transitional//en""
                          "head"

                          Everything worked as I expected. With the orginal lines everything worked fine when publishing to the local webroot. Why that changed when I published to a host and my LAN I do not know. However, the include file is now processed and the redirection takes place as expected. It would appear that without the proper heading the file would continue process and kick in my session variable error. I further confirmed this by placing an "end" on each page after the include statement and that caused the re-direction although I had to remove the "end" as that would ont work for my app the way I have it set up. Thanks all for the help. I am still planning on beefing up the security. I just had to solve this mystery first.

                          Steve

                          Comment

                            #14
                            RE: Logout SPOKE TO SOON

                            I feel foolish today. I had left an "end" statement in one of the files makinf ne believe I had fixed this. My problem is the same as it has been. I guess the question remains why on the LAW and host site my entire page is read as if ignoring the include statement and on the webroot it all works fine.

                            THis is how I am testing. Through the browser I try to open one of the pages I believe is protected from prying eyes and I get the session variable error. I cannot reproduce this behavior on the local webroot.

                            I have a feeling it is related to a cache problem but should not the cached file exist when using the local webroot?

                            Enough for today. Thanks again,

                            Steve

                            Comment

                              #15
                              RE: Log out of APP

                              You are correct Cal, a response.redirect does not stop execution of the page. If you want no other ouput to be sent back to the browser, you should include an end.

                              It is however perfectly valid to send output along with your redirect. The output in this case is typically something like "Please wait while your browser reloads..."

                              Lenny Forziati
                              Vice President, Internet Products and Technical Services
                              Alpha Software Corporation

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X