How to protect the webpage

web pages running on the localhost, if i copy the web page link (address link), then copy to the another tab or browser, it should not open, it should display a Login Page.

For example, web pages are

Login.aspx
Account.aspx

Once Login, account page will open, then copy the address link, then try to open in another tab or browser. It is directly account page is display.

Account page directly should not o开发者_如何学JAVApen without login page.

How to protect the web pages.

Need some examples.

This will work. Store it in Context.Items and transfer the request to the other page.

//In Login.aspx
Context.Items["userName"] = myValue;
Server.Transfer("Account.aspx");

//In Account.aspx
protected void Page_Load(object sender, EventArgs e)
{
   if (!IsPostback)
   {
      if (UserName == null)
      {
         UserName == Context.Items["userName"];
      }
      if (UserName == null)
      {
         Server.Transfer("Login.aspx");
      }
   }
}

    private String UserName
    {
        get
        {
            if (ViewState["UserName"] != null)
            {
                return ViewState["UserName"].ToString();
            }
            else
            {
                return null;
            }
        }
        set
        {
            ViewState["UserName"] = value;
        }
    }

Again, I don't see why you would not want the page to work in another tab. But this will work for you.

You can do that. Load and unload events should be set into session. Depending on the state, you can decide to show the login or the requested page. Setting into the session might be done via AJAX.

To do what you want you need to understand how de tabs in the browsers work. usualy they share the cookies and session states, and that is why when you have a session on a website, if you click on a link, or open a new window, the session continues there (and that is why you have some secutity issues).

To solve your problem you need to keep the session in some other way... And that my not be easy...

So, if you realy need to do that, then you need to have something unique on you page that is not shared. You can have a hidden field that is passed on every link that you select. But that imply a lot of work in manage your pages. And it will bring other security issues (like if someone sends the link than the session also goes :-(

One strange way you could do it is having frames. on the base page (the one that contains the frames) you would store the session in some javascript. Then all the pages check if there is the top page, and if it has a valid session. When you open a new tab and copy the link, the frame page will be clean, so you would need a new login. I do not know if it has any other secutiry issues attatch to doing like this

Session is shared across tabs and windows. It is not shared across different browsers (e.g. IE and Firefox).

I'm not clear why you need to keep the variables separate across tabs.

I guess if you want to, you could POST some value from one page to another. In Page_Load, if not isPostback, store that value in ViewState. If the value is not received redirect to the login page.

But, it would be better to re-think about why you want to do this. There might be a better way to accomplish your goal.

If I understand you correctly, I believe its the default behavior of a web browser. Its same in case of gmail, hotmail or any other web app that provides login/logout session'ings. Login to gmail, and open your contacts page, and copy and paste the contact page url in another browser-tab, and you will see the same contacts page without being asked for login page.

This article might help you understand; and provide a way to work around.

Proper support for Session Merging is important because most web applications are written to expect it. For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc. Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab-- sharing cookies is critical for that scenario to work correctly.

How about redirecting to Login.aspx if Account.aspx is accessed when a user is not logged in?

That's how the majority of the sites operate.

You could check the session state in Account.aspx and then redirect to Login.aspx accordingly.

This is not really a good approach to design your page. Http is stateless, meaning that the typical way to keep a session of a user that's logged in is by using a cookie with some random session string in it. This string is sent each request, and the server will check if the string is associated with a session.

Now - That gotcha here is that this session string is managed by the users browser, which is running purely client-side. You can make the browser "forget" about the string in different tabs, but it's complicated and quirkie.

If this is some kind of security issue, don't do it! :) Never trust client-side logic to keep your site more secure..

[EDIT] I'm assuming you mean that the user logged in in the first tab, and didn't log out afterwards?

Redirect if referrer is null or not login page.

if (Request.UrlReferrer == null || !Request.UrlReferrer.LocalPath.Equals("/website1/account/login.aspx",StringComparison.OrdinalIgnoreCase))
{
    Response.Redirect("/website1/account/login.aspx");
}