How to Prevent Forcible Logout in ASP.Net

Every developer must implement security points in websites. Here I will first show how to do a forcible logout and then the solution of that problem.

So I need the following 3 pages for this:

  • Login Page
  • Home Page
  • Logout Page
To understand better see the following.

Step 1

Add a new "Website" named "Website1".



And you will get the default page named "Default.aspx".



Here Default Page is my landing page so I am taking it as my "Login Page".

Add some controls to the "Default.aspx" page.
  • Textboxes on the page for User ID and Password respectively
  • A button for login with click event
  • A label from the message
  1. User ID  
  2.   
  3. <asp:TextBox ID="txtUserID" runat="server"></asp:TextBox>  
  4. <br />  
  5.   
  6. Password  
  7.   
  8. <asp:TextBox ID="txtPwd" runat="server" TextMode="Password"></asp:TextBox>  
  9. <br />  
  10. <asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="btnLogin_Click" />  
  11. <br />  
  12. <asp:Label ID="lblmsg" runat="server" ForeColor="Red"></asp:Label>  


Step 2

Add a web form named "Home.aspx".



Add the following code for the click event of the login button of the "Default.aspx" page.
  1. protected void btnLogin_Click(object sender, EventArgs e)   
  2. {  
  3.     if (txtUserID.Text == ""//User ID is blank  
  4.     {  
  5.         lblmsg.Text = "Fill the User ID";  
  6.         return;  
  7.     }  
  8.   
  9.     if (txtPwd.Text == ""//password is blank  
  10.     {  
  11.         lblmsg.Text = "Fill the Password";  
  12.         return;  
  13.     }  
  14.   
  15.     //Match the userID  
  16.     if (txtUserID.Text == "rahul" && txtPwd.Text == "bansal")  
  17.     {  
  18.         Session["ID"] = txtUserID.Text;  
  19.         //Redirect the page   
  20.         Response.Redirect("Home.aspx");  
  21.     } else {  
  22.         lblmsg.Text = "Invalid User ID or Password";  
  23.         return;  
  24.     }  
  25. }  


Note

Here you can fetch the user ID and password from the database and then match them.

Step 3

Now write some code on the page load event of "Home.aspx" that will do:
  • Check whether or not the session named "ID" is null
  • If it's not null then show the user id on the page
  1. protected void Page_Load(object sender, EventArgs e)   
  2. {  
  3.     if (Session["ID"] == null)   
  4.     {  
  5.         //Go to Error Page or Default page  
  6.         Response.Write("Session is null");  
  7.         return;  
  8.     } else   
  9.     {  
  10.         Response.Write(" Welcome " + Convert.ToString(Session["ID"]));  
  11.     }  
  12. }  


Add a web form named "Logout.aspx".



Step 4

Write some code on the page load event of "Logout.aspx" to clear the session and redirect to the "Deafult.aspx" page.
  1. protected void Page_Load(object sender, EventArgs e)  
  2. {  
  3.     Session.Abandon();  
  4.     Session.Clear();  
  5.     Response.Redirect("Default.aspx");  
  6. }  


Finally add a link button on the "Home.aspx" page to redirect to the "Logout.aspx" page.
  1. <asp:LinkButton ID="LinkButton1" runat="server" OnClick="LinkButton1_Click">Logout</asp:LinkButton>  
Add the code to redirect it to the "Logout.aspx" page as in the following:



Result

Provide the valid user id and password on the "Default.aspx" page and click on the login button.



It will redirect to the "Home.aspx" page.



Now if you click on the logout link then
  • It will redirect to the "Logout.aspx" page
  • Clear all the sessions on the page load event of the "Logout.aspx" page
  • Redirect to the "Deafult.aspx" page

Problem

If anyone is familiar with the "Logout.aspx" then he can call this logout page directly without clicking on the logout button and clear all the sessions.

I will create an HTML page named "ClickMe.html" with an anchor tag that will redirect to the page.

  1. <!DOCTYPE html>  
  2. <html  
  3.     xmlns="http://www.w3.org/1999/xhtml">  
  4.     <head>  
  5.         <title></title>  
  6.     </head>  
  7.     <body>  
  8.         <a href="http://localhost:63881/WebSite1/Logout.aspx">Logout</a>  
  9.     </body>  
  10. </html>  
Now if I run the page and click on the link "Logout":



Then it will redirect to me on the default page of website as in the following:



But "Home.aspx" is already open in another tab so let's see what happened to that page after refreshing it.



See, I have not clicked on the "Logout" button of my website and my sessions are clear due to the action of the outsider.

Solution

You can resolve this issue in one of the following 2 ways:
  • Pass a string or number in the session and in the click event of the logout button of the "Home.aspx" page check it on the page load event of the "Logout.aspx" Page.

  • Don't write any code on the page load event of the "Logout.aspx" page and create 2 links for "Yes and "No" on the "Logout.aspx" page with a message like "Are you sure you want to logout?".

Solution 1

Write the following code for the click event of the Logout link button in the .cs file of the "Home.aspx" page.



Check it on the page load event of the "Logout.aspx" page. If the string exists in the session then do the work.

  1. protected void Page_Load(object sender, EventArgs e)  
  2. {  
  3.     if (Session["Key"] == "abc123xyz")  
  4.     {  
  5.         Session.Abandon();  
  6.         Session.Clear();  
  7.         Response.Redirect("Default.aspx");  
  8.     }  
  9. }  
Solution 2

Create a link button with a click event and a hyperlink.
  1. <div>  
  2. Are you sure you want to logout?  
  3.   
  4.     <br />  
  5.     <asp:LinkButton ID="LinkButton1" runat="server" OnClick="LinkButton1_Click">Yes  
  6. </asp:LinkButton>  
  7.     <asp:HyperLink ID="HyperLink1" runat="server">No</asp:HyperLink>  
  8. </div>  


Write the following code for the page load of "Logout.aspx" to set the navigateUrl property of the hyperlink "No" for the previous page.
  1. protected void Page_Load(object sender, EventArgs e)  
  2. {  
  3. //redirect to previous page  
  4. HyperLink1.NavigateUrl=Request.UrlReferrer.AbsoluteUri;  
  5. }  
And for the "Yes" link, write the following code to redirect to the default page.
  1. protected void LinkButton1_Click(object sender, EventArgs e)  
  2. {  
  3. Session.Abandon();  
  4. Session.Clear();  
  5. Response.Redirect("Default.aspx");  
  6. }  


I hope you now understand the solution of the problem.