2

In my MVC 4 application, I am using a BaseController to execute a few processes whenever any of my other controllers get hit, one of which is checking if a user is logged in or not.

I've noticed that this is a common issue across design patterns, frameworks, what-have-you. Sadly, I could not find a solution.

Let's keep this short and sweet: how can we prevent the back button from allowing unauthorized access to my MVC 4 pages?

keeehlan
  • 7,874
  • 16
  • 56
  • 104

2 Answers2

1

One possible issue is the page being in browser cache. Consider adding some anti caching code to the page initialization.

 Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
 Response.Cache.SetNoStore();

Here is are some other questions with some implementation options.

Disable browser cache for entire ASP.NET website

How do I add site-wide no-cache headers to an MVC 3 app

Community
  • 1
  • 1
ericdc
  • 11,217
  • 4
  • 26
  • 34
  • For dynamic content I think it is a good idea to not let the browser cache those pages to begin with. I don't know what you could do to clear cache on logout as the browser caches each resource (page, css, etc) separately. If the url is cached in the browser going back to it will show the previous state of the page unless you do a refresh, clear cache, or change the url with some querystring. – ericdc Jun 17 '13 at 23:38
0

You should try this: https://stackoverflow.com/a/2969537/957921

Is about adding an Attribute to the Action Methods to avoid browser cache.

Community
  • 1
  • 1
thepirat000
  • 12,362
  • 4
  • 46
  • 72