3

scenario:

  1. User "a" logs in onto the website & gains access to member directory pages From A library Computer,
  2. User "a" logs out, leaves the browser open.
  3. User "b" starts to use the same computer, hits back button Sees User "a"'s member pages & information
  4. User "b" cannot do anything on pages but just view(will be redirected to login if they hit refresh for eg. User "b" being able to view at all a's data is a security hazard/bug.

Current code on log off : 

Session.Contents.RemoveAll();
FormsAuthentication.SignOut();
Session.Abandon();
Response.Redirect("~/LogOff.aspx", false);

So how can i stop them from just hitting back on the browser to "view only" pages that they are no longer authenticated to view.

I understand that there is a way to switch off browser caching for the site

EG: Disabling browser caching for all browsers from ASP.NET

BUT would this interfere/be costly, as i have update panels for partial postbacks ?

are there any other alternatives to the problem i've described ?

Thanks

Community
  • 1
  • 1
RY4N
  • 1,080
  • 3
  • 14
  • 31

2 Answers2

1

I know a more primitive way for this. You should check activated user in page load of all pages, if current user is not an activated user you should redirect him/her to logof.aspx. It is not the best way but it used to work. I hope it would help you.

JackBauer
  • 33
  • 1
  • 1
  • 8
  • There is no page load, i'd obviously have no problem if there was. We already do implement authentication on every page using asp membership & a privalage system as well as webconfig folder settings. – RY4N Jul 16 '12 at 11:44
0

ok Session[""] != null is important thing, to see if thats null or no. but as there isnt any page_Load event, so this is the solution for this disable cache on master pages / content holder pages, the pages wont be stored in cache, and on pressing back button it will take you to the login scree, if it isnt logged inn

Copy these tags under head section

<meta http-equiv="Pragma" content="no-cache" />
    <meta http-equiv="Expires" content="-1" />
    <meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />

and copy this in code behind file.

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
    Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
    Response.Cache.SetNoStore();

you will be good to go.

Qasim Javaid Khan
  • 650
  • 4
  • 10