ASP.NET使用表单验证在注销后使得浏览器后退按钮失效的简单方法

最新推荐文章于 2020-07-01 20:02:22 发布

gahetgidt

最新推荐文章于 2020-07-01 20:02:22 发布

阅读量1k

点赞数

分类专栏： c# 学习文章标签： asp.net 浏览器 authentication server forms asp

c# 学习专栏收录该内容

128 篇文章

订阅专栏

本文介绍了解决ASP.NET应用程序中表单验证后，用户通过浏览器后退按钮回到已登录页面的问题。通过创建Exit.aspx页面执行注销操作，并使用JavaScript重定向到登录页面，避免了缓存导致的安全隐患。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

http://www.cnblogs.com/charrli/archive/2011/02/12/1952715.html

问题描述：

ASP.NET使用表单验证在注销后浏览器仍然可以通过后退按钮回退到之前需要sign in才能看到的页面。

问题原因：

页面还保存在浏览器缓存中

解决方案：

一个可行的方案是为网站增加一个Exit.aspx页面，在其Page_Load方法里执行FormsAuthentication.SignOut()，同时使用JavaScript跳转到Logon页面。而SignOut按钮的唯一作用就是在客户端跳转到该Exit.aspx页面，而不是直接执行FormsAuthentication.SignOut():

1. Web.config如下，指明authentication方式为forms，loginUrl为logon.aspx。拒绝一切未授权用户("?")

 
     01<configuration> 
 
     02  <system.web> 
 
     03    <authentication mode="Forms"> 
 
     04      <forms loginUrl="logon.aspx" name=".ASPXFORMSAUTH"> 
 
     05      </forms> 
 
     06    </authentication> 
 
     07    <authorization> 
 
     08      <deny users="?" /> 
 
     09    </authorization> 
 
     10  </system.web> 
 
     11</configuration>

2. Logog.aspx页面如下：

   
    <%
    @ Page Language
    =
    "
    C#
    "
     
    %>
    

    <%
    @ Import Namespace
    =
    "
    System.Web.Security
    "
     
    %>
    


    <
    script runat
    =
    "
    server
    "
    >
    
  
    void
     Logon_Click(
    object
     sender, EventArgs e)
  {
    
    if
     ((UserName.Text 
    ==
     
    "
    testuser
    "
    ) 
    &&
     
            (UserPass.Text 
    ==
     
    "
    testuser
    "
    ))
      {
          FormsAuthentication.RedirectFromLoginPage 
             (UserName.Text, Persist.Checked);
      }
      
    else
    
      {
          Msg.Text 
    =
     
    "
    Invalid credentials. Please try again.
    "
    ;
      }
  }

    </
    script
    >
    

    <
    html
    >
    

    <
    head id
    =
    "
    Head1
    "
     runat
    =
    "
    server
    "
    >
    
  
    <
    title
    >
    Forms Authentication 
    -
     Login
    </
    title
    >
    

    </
    head
    >
    

    <
    body
    >
    
  
    <
    form id
    =
    "
    form1
    "
     runat
    =
    "
    server
    "
    >
    
    
    <
    h3
    >
    
      Logon Page
    </
    h3
    >
    
    
    <
    table
    >
    
      
    <
    tr
    >
    
        
    <
    td
    >
    
          E
    -
    mail address:
    </
    td
    >
    
        
    <
    td
    >
    
          
    <
    asp:TextBox ID
    =
    "
    UserName
    "
     runat
    =
    "
    server
    "
     
    /></
    td
    >
    
        
    <
    td
    >
    
          
    <
    asp:RequiredFieldValidator ID
    =
    "
    RequiredFieldValidator1
    "
     
            ControlToValidate
    =
    "
    UserName
    "
    
            Display
    =
    "
    Dynamic
    "
     
            ErrorMessage
    =
    "
    Cannot be empty.
    "
     
            runat
    =
    "
    server
    "
     
    />
    
        
    </
    td
    >
    
      
    </
    tr
    >
    
      
    <
    tr
    >
    
        
    <
    td
    >
    
          Password:
    </
    td
    >
    
        
    <
    td
    >
    
          
    <
    asp:TextBox ID
    =
    "
    UserPass
    "
     TextMode
    =
    "
    Password
    "
     
             runat
    =
    "
    server
    "
     
    />
    
        
    </
    td
    >
    
        
    <
    td
    >
    
          
    <
    asp:RequiredFieldValidator ID
    =
    "
    RequiredFieldValidator2
    "
     
            ControlToValidate
    =
    "
    UserPass
    "
    
            ErrorMessage
    =
    "
    Cannot be empty.
    "
     
            runat
    =
    "
    server
    "
     
    />
    
        
    </
    td
    >
    
      
    </
    tr
    >
    
      
    <
    tr
    >
    
        
    <
    td
    >
    
          Remember me
    ?</
    td
    >
    
        
    <
    td
    >
    
          
    <
    asp:CheckBox ID
    =
    "
    Persist
    "
     runat
    =
    "
    server
    "
     
    /></
    td
    >
    
      
    </
    tr
    >
    
    
    </
    table
    >
    
    
    <
    asp:Button ID
    =
    "
    Submit1
    "
     OnClick
    =
    "
    Logon_Click
    "
     Text
    =
    "
    Log On
    "
     
       runat
    =
    "
    server
    "
     
    />
    
    
    <
    p
    >
    
      
    <
    asp:Label ID
    =
    "
    Msg
    "
     ForeColor
    =
    "
    red
    "
     runat
    =
    "
    server
    "
     
    />
    
    
    </
    p
    >
    
  
    </
    form
    >
    

    </
    body
    >
    

    </
    html
    >

3. Default.aspx页面如下：

   
    <%
    @ Page Language
    =
    "
    C#
    "
     
    %>
    

    <
    html
    >
    

    <
    head
    >
    
  
    <
    title
    >
    Forms Authentication 
    -
     Default Page
    </
    title
    >
    

    </
    head
    >
    

    <
    script runat
    =
    "
    server
    "
     type
    =
    "
    text/C#
    "
    >
    
  
    void
     Page_Load(
    object
     sender, EventArgs e)
  {
    Welcome.Text 
    =
     
    "
    Hello, 
    "
     
    +
     Context.User.Identity.Name;
  }

    </
    script
    >
    


    <
    body
    >
    
  
    <
    h3
    >
    
    Using Forms Authentication
  
    </
    h3
    >
    
  
    <
    asp:Label ID
    =
    "
    Welcome
    "
     runat
    =
    "
    server
    "
     
    />
    
  
    <
    form id
    =
    "
    Form1
    "
     runat
    =
    "
    server
    "
    >
    
           
    <
    input type
    =
    "
    button
    "
     onclick
    =
    "
    window.location='Exit.aspx'
    "
    
            value
    =
    "
    Sign Out
    "
    />
    
  
    </
    form
    >
    

    </
    body
    >
    

    </
    html
    >

可见这里的SignOUt按钮是客户端控件，作用是跳转到Exit.aspx进行注销。由于这里使用的是Window.location跳转，所以在logon.aspx页面后退时，将会后退到exit.aspx而不是default.aspx

4. Exit.aspx:

   
    <%
    @ Page Language
    =
    "
    C#
    "
     
    %>
    

    <
    html
    >
    

    <
    head
    >
    
  
    <
    title
    ></
    title
    >
    

    </
    head
    >
    

    <
    script type
    =
    "
    text/javascript
    "
    >
    
    top.location.href 
    =
     
    "
    Logon.aspx
    "
    ;

    </
    script
    >
    


    <
    script runat
    =
    "
    server
    "
     type
    =
    "
    text/C#
    "
    >
    
     
    
    void
     Page_Load(
    object
     sender, EventArgs e)
    {
        FormsAuthentication.SignOut();
    }

    </
    script
    >
    


    <
    body
    >
    


    </
    body
    >
    

    </
    html
    >