I wrote a membership system with ASP. The system is simple. When user loggs in with the correct username and password, I assign the username to a session variable. And after when user navigates through the pages of members area I use the session variable to identify the user. And when the user loggs out, I abandon the session.
But I got a problem on this system. I wrote the problem step by step:
1) User loggs in to the system.
2) User closes the browser window without logout.
3) User openes a blank browser.
4) User directly enters the path of the members area.
5) USER IS IN!
How can I fix this problem. The user can bypass the login page. How can I prevent this. Or can you send some examples which doesnt have this bug.
Note: If user tries this steps after logout he/she couldnt get in. The bug occours if he/she doesnt use logout.