I have an application which uses Httpsession for authenctaion.
If the user logs in the application and open status page he will be able to see the list of status. I want to prevent the users from the copying the URL’s and posting the same URL.
If the user opens an another tab I want to redirect them to LOGIN page:
Pasting some part of the code: This is for expiry:
Public Function IsValidHandle(ByRef httpSessionState As System.Web.SessionState.HttpSessionState) As Boolean
If httpSessionState("Handle") Is Nothing _
OrElse (CIntSafe(httpSessionState("Handle")) <= 0 Or TrimSafe(httpSessionState("Handle")) = String.Empty) Then
Return False
Else
Return True
End If
End Function
2
Answers
I tried this and it worked. JS does wonders:
This is VERY difficult. The user may well launch another browser – perhaps FireFox and Edge at the same time. You MIGHT be able to say put a time in session as to when they launched the page. But, preventing users from opening a browser and jumping to a page is a challenge. You simple saying "another tab", but in theory they might have just pulled out their smartphone, or launched another browser. A tab is not really a tab, but a whole new browser page. This also suggests for a given page, you want to use "per page" persisting, and not session for things like a row selected PK.
And if they close the page, jump to shop to another site, or just close the lid on their laptop? Very had to know that they are not on your web page anymore.
Web development is state-less. This suggests you should NOT care if they open that page more then one time (so what????).
You could try perhaps a session and some kind of timer on that page. (say every 10 seconds). If the session value was not updated, then you know they left the page.
The problem is MORE of how do you know when they left the page? You need to know that since then how can you prevent them from opening again if you don’t know if they have the other tab open? (answer: is you don’t!!!).
The other way? You could probably adopt SignalR, as that keeps a live connection to the server – and that could save you writing a bunch of timer code, or even say some code that does a ajax call every 10 seconds to update some session value. If that session() value not updated say in 10 seconds, then you would know the person has closed their browser, or is now jumped some place else to shop or do whatever.
The better solution?
You should not care if they have the page open 1 or 5 times. After all, its a web site, and you could have 30 or more users. Your "design" in the first place should not care – and thus adopting a page and code design in which you don’t HAVE to care is the best solution here.
Why does it matter if they have the page open 2 or 8 times? It should not.