webspeed logout mechanism

Posted by bart.syryn on 26-Feb-2015 01:56

Hi, I'm building a small webspeed application and I'm trying to build a log-out mechanism. I thought it would be easy, but it seems that I'm missing some things. The user logs into the application. On the serverside there's a .p that checks the credentials and adds a record in a database table with session information (username, login date and time, a session id and expiration date/time. When the user press log-out in the webspeed application, again a .p on the server side that sets the expiration date/time to the time the logout occured. So the session is not valid anymore and I show the login.html screen again. But then when the user presses the back-button in the browser he gets again to the page where he logged out. That html-file has some webspeedscripting, checking if the session is still valid, but that's not executed when he just press back. Seems logic because the back-button only shows the previous page. Question is now, how can I override this behaviour. How can I check if the session in webspeed script is stil valid when the user presses the back-buttons. It seems easy, but I have been trying and searching for the last three days, but with no succes. Any suggestion ? Kind regards Bart S.

OpenEdge Development - Forum

All Replies

Posted by Matt Baker on 26-Feb-2015 07:50

 
 
This is a classic browser caching problem.  There is a little you can do to fix it, none of which is perfect. but you have to do it carefully as it may destroy browser caching if you do it wrong.
 
You can set a few headers that most browsers respect that will completely disable caching and force the browser to reload.
 
Below is .jsp code to set the headers to do this.
 
       response.setHeader(
                     "Cache-Control",
                     "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0");
 
You don’t want to do this everywhere.  Setting this will cause the browser to completely re-evaluate the page if the user selects back.  At which point your cookie checks in the javascript will kick in and redirect the user back to the login page.
 
You could also globally add a cookie that every single page checks with a bit of javascript that will redirect the page to the login page if the cookie is missing/invalid.
 
Also, use document.location.replace = “/logout…” instead of document.location = “/logout…” when navigating the user to the logout page.  This way if they try to select ‘back’ on the browser from the login page, they’ll get the logout page in the history instead of the page previous to the logout.
 
Consider making everything a “single page application”. This means almost everything is javascript based on something like kendo or extjs or similar toolkits.  Might not be an option depending on what you have now.
 
 
 
[collapse]
From: bart.syryn [mailto:bounce-bartsyryn@community.progress.com]
Sent: Thursday, February 26, 2015 2:57 AM
To: TU.OE.Development@community.progress.com
Subject: [Technical Users - OE Development] webspeed logout mechanism
 
Thread created by bart.syryn
Hi, I'm building a small webspeed application and I'm trying to build a log-out mechanism. I thought it would be easy, but it seems that I'm missing some things. The user logs into the application. On the serverside there's a .p that checks the credentials and adds a record in a database table with session information (username, login date and time, a session id and expiration date/time. When the user press log-out in the webspeed application, again a .p on the server side that sets the expiration date/time to the time the logout occured. So the session is not valid anymore and I show the login.html screen again. But then when the user presses the back-button in the browser he gets again to the page where he logged out. That html-file has some webspeedscripting, checking if the session is still valid, but that's not executed when he just press back. Seems logic because the back-button only shows the previous page. Question is now, how can I override this behaviour. How can I check if the session in webspeed script is stil valid when the user presses the back-buttons. It seems easy, but I have been trying and searching for the last three days, but with no succes. Any suggestion ? Kind regards Bart S.
Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

Posted by bart.syryn on 26-Feb-2015 10:55

Hi Matt,

Thanks for your response !

May i ask a few questions.

The code with response.setheader( .....) javascript function, where do I need to place that ?  And do I need to call that function when the user presses the 'log out'-link ? (onclick event).

About the cookie, if I understand you, I would need to delete-cookie in the logout.p (where I set expiration date/time) and then in every page check if the cookie exists in javascript ?  The logout.p on the server side calls the LogIn.html file.

How could I use document.location.replace ? The users presses the 'log out' button, and the logout.p is called.  At that point when I'm in logout.p i can't set document.location.replace because I'm in a pure progress .p.

Kind regards

Bart S.

Posted by Matt Baker on 26-Feb-2015 14:40

 
The document.replace is javascript.  This needs to happen on the client side when the user presses the logout button or link or whatever.
 
Then on the server side, once execution reaches logout.p you will call the webspeed function delete-cookie() and you will update the database to destroy their session, then you will send http headers to redirect the user to login.html.
 
Something like (warning: pseudo code):
 
----mypage.html-----
<button onclick=”location.replace(‘/logout.html’);”>logout</button>
 
--------
 
 
----------------
logout.html
 
…..
procedure output-headers:
  define variable sessionid as character no-undo.
 
   /* find session and destroy it and tell the web browser to wipe out the session cookie */
  sessionid = get-cookie(“sessionid”).
   Find session where sessionid = sessionid.
   Delete session.
   delete-cookie(“sessionid”).
 
   /* make sure browser always reevaluates the page and doesn’t cache logout.html */
   output-http-header("Cache-Control", "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0").
 
   /*  redirect user to login page */
   output-http-header(“Location”, “/login.html”).
 
  /* finalize content type */
   output-content-type(“text/html”).
 
end procedure.
…..

Posted by Matt Baker on 26-Feb-2015 14:45

A bit more information:
 
http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers
 
[collapse]
From: Matt Baker [mailto:bounce-mbaker@community.progress.com]
Sent: Thursday, February 26, 2015 3:41 PM
To: TU.OE.Development@community.progress.com
Subject: RE: [Technical Users - OE Development] webspeed logout mechanism
 
Reply by Matt Baker
 
The document.replace is javascript.  This needs to happen on the client side when the user presses the logout button or link or whatever.
 
Then on the server side, once execution reaches logout.p you will call the webspeed function delete-cookie() and you will update the database to destroy their session, then you will send http headers to redirect the user to login.html.
 
Something like (warning: pseudo code):
 
----mypage.html-----
<button onclick=”location.replace(‘/logout.html’);”>logout</button>
 
--------
 
 
[/collapse]

Posted by bart.syryn on 27-Feb-2015 03:30

Hi Matt,

Thanks for the clear example and I implemented it,  I've got it working but not completely.  I think it has something to do with my handling of the html-files.

What I do :

User goes to the login page : wsLogin.html

He presses 'login' in the wsLogin.html file : <form method="post" action="Login.r">

So Login.r (just a .p on the server is called). The validation happens in that .r and the sessionID is set.  In the .p when the validation is correct I do :

RUN run-web-object IN web-utilities-hdl("wsMainUsr.html").

So I call the main menu.

In the main menu when the user clicks 'log out' I added as you suggested :

< button onclick="location.replace('/wslogout.html');">logout</button>

wslogout.html is called and in that html-file I placed the code you suggested.

Than it works !!! The user gets the login page again and he can't press the back button.  The wslogin.html is called every time I press the back button.  So far so good.

But it's not working in the following scenario :

User logs in : wsLogin.html -> server side login.r -> show wsMainUsr.html.

Then user presses a menu-item i.e. 'employees', so my wsEmployee.html file is called.  When he presses in wsEmployee.html file the 'log out' button i do exactly the same as in wsMainUsr.html. The user gets back in the login page (wsLogin.html).  When I then press back he gets the login.r in his url and he's back on the main menu (wsMainUsr.html) ....

The url at that points is : http://localhost/dplan.init/login.r

I must do something wrong, but I really don't know how to solve it ...

Any suggestions ...

Kind regards,

Bart S.

This thread is closed