How do I make sure that a asp page expires immediately and is not stored in the history ???

[divya]

I have a page name edit.asp which should expire immediately .The user
cannot open this page directly he has to provide a password for
entering this page.thus when the user enters edit.asp , it has a button
EDIT ,which when user clicks directs him to another page (done.asp).
Now the problem is that from this page (done.asp) if he clicks on the
back button on the toolbar then edit.asp opens.But I don't want it to
open It should show page has expired .Because he is entering without
providing password and can also edit the record second time by hitting
EDIT button. How do I make sure edit.asp page expires immediately or is
not stored in the history ??? I tried using response.expires= - 400
but this doesn't work.Do I need some javascript which stops edit.asp
from getting stored in the HISTORY??? Kindly help with some solution.

 

[Anthony Jones]

I have a page name edit.asp which should expire immediately .The user
cannot open this page directly he has to provide a password for
entering this page.thus when the user enters edit.asp , it has a button
EDIT ,which when user clicks directs him to another page (done.asp).
Now the problem is that from this page (done.asp) if he clicks on the
back button on the toolbar then edit.asp opens.But I don't want it to
open It should show page has expired .Because he is entering without
providing password and can also edit the record second time by hitting
EDIT button. How do I make sure edit.asp page expires immediately or is
not stored in the history ??? I tried using response.expires= - 400
but this doesn't work.Do I need some javascript which stops edit.asp
from getting stored in the HISTORY??? Kindly help with some solution.

Not much you can do about this. Think of it this way if the user were to
navigate to the done.asp using open in new window feature would you be able
to do anything about them bringing the original window into the foreground?

In effect a browsers like IE implements many navigations in this way but the
reuse the client area of the browser to show the new window. When you click
back it simple returns the still existing loaded web page to the client
area. Obviously there comes a point where if you click back enough that the
browser will be forced to reload the page. The HTTP rules covering caching
end at the point the resource content is delivered to the browser. What the
browser does with that resource and when it feels the need to re-request
that resource is entirely it's business.

 

[Mike Brind]

I have a page name edit.asp which should expire immediately .The user
cannot open this page directly he has to provide a password for
entering this page.thus when the user enters edit.asp , it has a button
EDIT ,which when user clicks directs him to another page (done.asp).
Now the problem is that from this page (done.asp) if he clicks on the
back button on the toolbar then edit.asp opens.But I don't want it to
open It should show page has expired .Because he is entering without
providing password and can also edit the record second time by hitting
EDIT button. How do I make sure edit.asp page expires immediately or is
not stored in the history ??? I tried using response.expires= - 400
but this doesn't work.Do I need some javascript which stops edit.asp
from getting stored in the HISTORY??? Kindly help with some solution.

Going on from what Anthony said, create a session variable when the user
logs in to edit.asp. When they submit the page, check for the existence of
the variable before commiting any updates to the database. Once the update
has ocurred, remove the session variable. That way, they will have to log
in to the edit.asp page again to be able to change anything. They will
still see the page in their history, but if they tried to submit it, your
code will spot the absence of the session variable and redirect them
somewhere else.

 

[Dave Anderson]

I have a page name edit.asp which should expire immediately .The user
cannot open this page directly he has to provide a password for
entering this page.thus when the user enters edit.asp , it has a
button EDIT ,which when user clicks directs him to another page
(done.asp). Now the problem is that from this page (done.asp) if he
clicks on the back button on the toolbar then edit.asp opens.But I
don't want it to open It should show page has expired .Because he is
entering without providing password and can also edit the record
second time by hitting EDIT button. How do I make sure edit.asp page
expires immediately or is not stored in the history ??? I tried
using response.expires= - 400 but this doesn't work.Do I need some
javascript which stops edit.asp from getting stored in the HISTORY???

If edit.asp is posting back to itself, then you could always send this on
successful submission:

window.location.replace("done.asp")

Alternately, you could put edit.asp in a pop-up, and close the window upon
submission.

Either of these requires the client to cooperate, so Mike's session variable
suggestion would be a good complement.

 

[divya]

Thank you Mike, Anthony, Dave for the solutions.I used the session
variables method.
Just before entering the Edit.asp I initialized the variable
Session("Entered")=True
now when user clicks on EDIT I chk for the Session("Entered") and if
its true update the record and do Session.Abandon .
session.Abandon removes the session variables destroys that session.
Few observations I made while practicing session variables :-
1.The session id remains the same when I write response.write
session.sessionid before and after session.abandon.

response.write session.SessionId
session.Abandon
response.write session.SessionId

but now when I refresh the page the sessionid changes.

2.Is there a way by which instead of closing the whole session using
session.abandon which removes all the session variables,I free only few
session variables which I know are not needed after a point??

3.When I say open in new window,the session id remains same for both
the windows.
My understanding:- I think this happens because the session id is
appended at the end of the URL when its sent to the server.Not sure

4.assuming that there are no session variables used in any of the
pages, still Is the session id assigned to a user when he requests for
a page ??When does a session start??Is it when a session variable is
defined or when a user requests the server for a ASP page or a Static
Html page ?

5. When a Isapi filter like cookie munger is used ,b4 sending an ASP
page to client it parses the HTML for hyperlinks and at the end of the
hyperlink URL adds the synthesized
Session id for the client.Is this added the same way a querystring is
added to URL" ?..."
Might be the synthesized Sessionid looks like something which a client
who accpets cookies sends to server ,but in this case is calculated by
Cookie Munger and added to all the hyperlinks present in the ASP page.

 

[Evertjan.]

divya wrote on 13 okt 2006 in microsoft.public.inetserver.asp.general:

2.Is there a way by which instead of closing the whole session using
session.abandon which removes all the session variables,I free only few
session variables which I know are not needed after a point??

Session.Contents.Remove(name|index)

Session.Contents.RemoveAll()

 

[Anthony Jones]

Thank you Mike, Anthony, Dave for the solutions.I used the session
variables method.
Just before entering the Edit.asp I initialized the variable
Session("Entered")=True
now when user clicks on EDIT I chk for the Session("Entered") and if
its true update the record and do Session.Abandon .
session.Abandon removes the session variables destroys that session.
Few observations I made while practicing session variables :-
1.The session id remains the same when I write response.write
session.sessionid before and after session.abandon.

response.write session.SessionId
session.Abandon
response.write session.SessionId

but now when I refresh the page the sessionid changes.

Session.Abandon marks the session as abandoned. The Session object will be
destroyed once the currently running script completes. Hence you can still
use the session object after an abandon in the script but any changes etc
will be lost as soon as the request is completed.

2.Is there a way by which instead of closing the whole session using
session.abandon which removes all the session variables,I free only few
session variables which I know are not needed after a point??

As Evertjan points out use Session.Remove to destroy the marker you are
using rather than the session object as a whole

3.When I say open in new window,the session id remains same for both
the windows.
My understanding:- I think this happens because the session id is
appended at the end of the URL when its sent to the server.Not sure

A the SessionID is sent returned as a temporary cookie rooted at the
application path. Hence any requests to pages and files within you
application will receive this ID cookie in the http headers. ASP can use
this cookie to look up and install the correct session object into the
script context for the ASP page.

A new window will not launch a new browser process just creates a new window
in the existing process. Hence any temporary cookies installed in the
process will be sent as appropriate in any requests generated by this new
window.

4.assuming that there are no session variables used in any of the
pages, still Is the session id assigned to a user when he requests for
a page ??When does a session start??Is it when a session variable is
defined or when a user requests the server for a ASP page or a Static
Html page ?

When the first ASP request is made. Regardless of whether the ASP page make
use of the session object the script processor needs to create one to put
into the context in case it is needed.

5. When a Isapi filter like cookie munger is used ,b4 sending an ASP
page to client it parses the HTML for hyperlinks and at the end of the
hyperlink URL adds the synthesized
Session id for the client.Is this added the same way a querystring is
added to URL" ?..."
Might be the synthesized Sessionid looks like something which a client
who accpets cookies sends to server ,but in this case is calculated by
Cookie Munger and added to all the hyperlinks present in the ASP page.

This sounds like a filter designed to make ASP work with browsers that
aggressively reject any form of cookie. The cookie munger is tracking at
least the Set-Cookies of ASPSessionXXXXX and adding them to the querystrings
of links, src, hrefs it finds in the outgoing response and any subsequent
responses.

When it sees these querystring entries on a request it extracts them and
creates the appropriate cookie headers in the response before passing the
request on. Hence ASP sees what it expects even though the client has
disallowed cookies.