Hi Robert,
Ok, there are a few bases to be covered here. It's possible to miss one, or indeed it's possible to mis-interpret what is happening.
Firstly - The status of "logged in" or "logged out" are unrelated to the session queue. In other words logging in, or out, does not affect the state of the variables in the session queue.
So you are correct, if you want to force the session to be deleted, then you can do the
p_web.DeleteSession()
p_web.NewSession()
calls.
Note that NewSession will not necessarily change the session number, that's irrelevant - rather it is the variables inside the session that are deleted.
Now for the complication when you hit the "back" button. The different browsers behave slightly differently here. Some, for example, do not query the server at all, they simply display something they've cached along the way. If that something is the login screen, then often they'll "helpfully" fill in all the fields for you. Others will redo the actual POST complete with login and password etc.
On your side there are a number of ways of dealing with this. One is demonstrated in example 3 - which is the addition of a "hash value" to the login screen. The logic is simple - when the form is generated a session value ('hashvalue') is declared with a random number. When the user logs in this value is cleared. During the login, this value is checked as part of the login validation (before the session value is cleared). This technique prevents the same login form from being posted twice.
Of course, user education is a wonderful thing, and this applies to _all_ sites you log into, not just NetTalk ones. If you are ever using a public machine to access a site protected by a password you should always;
a) make sure you click the logout button if the site provides one
b) clear the browsing history from the browser (especially clearing cookies) and
c) Close the browser before leaving the machine.
Cheers
Bruce
Topic: Safe logout (Read 2580 times)