Prevent LoggedOut users from viewing user-only-pages from browser history

Question

In my ASP.NET MVC (5) application, session is not being used to identify whether a user is logged in or not. Rather, I'm using some encrypted values in query strings or hidden fields.

But just now I realized that any person can visit those user-only-pages from browser history.

Any idea to solve this problem?

UPDATE: Most of the MVC Actions send partial html/json through ajax.

UPDATE:

    [OutputCache(NoStore = true, Duration = 0, VaryByParam = "None")]
    public ActionResult Index()
    {
        return View(); // I want it from viewing from browser cache.
    }

"Rather, I'm using some encrypted values in query strings or hidden fields." - this sounds horrifyingly insecure to me.... — Alex, Oct 22 '14 at 11:42

score 0 · Answer 1 · edited May 23 '17 at 12:27

0

You need to disable caching on the pages that require an authenticated user, e.g.

Response.Cache.SetCacheability(HttpCacheability.NoCache)

Also see: Prevent Caching in ASP.NET MVC for specific actions using an attribute

edited May 23 '17 at 12:27

Community

1
1

answered Oct 22 '14 at 11:45

Pete Scott

1,516
10
10

Can you provide more details about how you implemented that and what exactly it is doing? – Pete Scott Oct 22 '14 at 11:57
@SKPaul How does your view determine if a user is logged in or not, and what does it do when it determines that the user is or is not logged in? – Pete Scott Oct 22 '14 at 12:27

Prevent LoggedOut users from viewing user-only-pages from browser history

1 Answers1