Comments Hi , We have a system which is browser based. Since the system needs a fair bit amount of security.. we need to disable the cross button on the browser..and let the user log out through the screen itself... Can we disable the cross button on the browser.. secondly if this is not possible we need to invalidate the session if he clicks on the cross button...
we need to use some properties of the HTML page to achieve this.... either the form properties or the body properties.. if someone can throw some light on this would be highly appreciated.. also please note we r not using frames...
If I understand correctly, you wish to block the user from backing up a page, and not allow them to cache the page. Is that correct?
If so, your best bet would be to start with NO CACHE meta tags or http headers. If you don't have control over the headers the server is sending out, then metatags would be the second best bet. Also, you might consider a secure server as most browser won't cache pages on secure servers.
Does the X button refer to the 'close window' button? If so, I'm pretty sure there is no way of disabling this.
An alternative is to create a popup using the onUnLoad event. Whilst this is considered naughty on the net it's normally a-ok in trusted applications, especially when it's used to call a page that will mop-up the session (log the user out).
If you're working with IE5+ you can also take advantage of the onBeforeUnLoad event to warn users that they will be logged out and given the option to cancel their action.
Problems with onUnLoad: You would errr.. need to be using frames to do this! or every time a new page is loaded the onUnLoad event would fire for the previous page.
If you have some server scripting power you can normally listen for some kind of event that signifies the end of a session which can call a mop-up script on the server.
Those are good ideas. Most systems, as another idea, simply have a timeout value for logging out. If the user has not interacted with the system in say the past 10 minutes, they will be required to log in again.
Yup, it's exactly this 'Timeout' that reflects the end of a session event mentioned above. To give a more detailed example in ASP & VBScript you would simply add a sub like...
Sub Session_OnEnd **Put your logout code here ** End Sub
...to the Global.asa file. You can configure the timeout period in IIS under properties of the specific application (Properties > Directory Tab > Configuration Button > App Options Tab) - it usually defaults to 20 minutes (of inactivity will end the session).