1

I am working on my own login/logout module in ASP.NET MVC 4 and I am clearing the session in my logout Action result and also not storing the cache using the following code.

[HttpGet]
        public ActionResult Login()
        {
            return View();
        }

        [OutputCache(NoStore = true, Duration = 0, VaryByParam = "None")]
        [HttpPost]
        public ActionResult Login(Models.User user)
        {
            if (ModelState.IsValid)
            {
                if (user.IsValid(user.UserName, user.Password))
                {
                    FormsAuthentication.SetAuthCookie(user.UserName, user.RememberMe);
                    return RedirectToAction("Index", "Admin");
                }
                else
                {
                    ModelState.AddModelError("", "Login data is incorrect!");
                }
            }
            return View(user);
        }
        public ActionResult Logout()
        {

            FormsAuthentication.SignOut();
            Session.Clear();
            Session.Abandon();
            Session.RemoveAll();
            return RedirectToAction("Index", "Home");
        }

Home Index Controller

 [Authorize]
        public ActionResult Index()
        {
            return View();
        }

Layout cshtml

 @if (Request.IsAuthenticated)
                {
                    <strong>@Html.Encode(User.Identity.Name)</strong>
                    @Html.ActionLink("Sign Out", "Logout", "User")
                    @Html.ActionLink("Grid", "Index", "Admin")
                }
                else
                {
                    @Html.ActionLink("Sign In", "Login", "User")
                }

And I am using forms authentication and everything works fine but after I log out from the page, I am still able to access the secured page by clicking on back button.

May I know where I am making a mistake

DoIt
  • 3,270
  • 9
  • 51
  • 103
  • 1
    I would have an `[Authorize]` at controller level and then an `[AllowAnonymous]` on the Login Actions – Lotok Nov 13 '13 at 14:31
  • Is it possible your just looking at a cached version? Instead of pressing back try to navigate to a secure part of the site – Ben Nov 13 '13 at 14:36
  • Nothing worked out. I am able to prevent access through the URL after logging out but can't do it with the back button. – DoIt Nov 13 '13 at 15:15
  • You could always force a page refresh after logout, it may be enough to prevent going back to the cached page. javascript: `window.location.href = window.location.href;` – Lotok Nov 13 '13 at 15:28

1 Answers1

1

Silly Mistake, I should use [OutputCache(NoStore = true, Duration = 0, VaryByParam = "None")] on my secure page instead of login.

DoIt
  • 3,270
  • 9
  • 51
  • 103
  • More information on this is here: http://stackoverflow.com/questions/20895489/outputcache-setting-inside-my-asp-net-mvc-web-application-multiple-syntax-to-pr – Adrian Carr Aug 27 '14 at 02:56