I was given the task to take several websites and add login authentication to them. Currently, they are using Apache to login then it redirects to the site if their login was valid.
What I was going to do, or did, was create a login page and use their custom authenticator class (which they wanted me to use) to validate then if successful redirect to the home page...simple enough.
What I have a question on is if I am using this very basic (and probably old way) of doing this, can I add a session object "Authenticate" and set it to true if success, false if not. Then on the other pages during Page_Load check this session if authenticated and if not redirect to login page? Is this valid? Seems outdated and I know I can use the new Login Controls for .Net 3.5 but wasn't sure if I could or not.
They are not using Windows Authentication or anything, it's what is typed in txtbox and validated in sql. The authentication class does this.
Would appreciate any suggestions on how I could validate on each page if they were logged in or not.
and created the LoutOut action in the controller page
public ActionResult LogOut()
Now when I click on the LogOut link its redirect to the LogOut action and in the LogOut action its delete all the session, but when I click on the back button of the browser its get back to the previous page and sessions are still alive. Does anyone have the solution of this problem.
Thanks for you replay. Back button is not my problem. The problem is sessions are not expiring. When I go back to previous page and refresh the browser, I get all the information from the database again, this should not happen. Because before every database request its checks whether session is exist or not. If session is not exists then no database call will be fired. But this is not happening after the logout.