ASP.NET authentication login and logout with browser back button

Question

I am looking for a solution for user use the browser's back button to navigate to previous page once logged out.

I have a web application build in asp.net and using a custom membership provider for authentication and authorization. Everything works fine except when the user click on the logout link to log out of the application and being redirect to a default cover page, if the use click on the BACK BUTTON on their browser, it will actually go back to where they were before and the data will still show up.

Of course they can't do anything on that page, click on anything link they will be redirect to a login page again. But having those information display is making a lot users confused.

i am just wondering if there is any way i can either clear the browser's history so use can't go BACK, or when they click on the back button and have them redirect to the login page.

thanks

+1 for a good question. +1 for good question just barely beat out -1 for bad conclusion. — Sky Sanders, Apr 21 '10 at 22:37

score 23 · Accepted Answer · edited May 23 '17 at 12:00

Worrying about the browser history and back button is going to give you headaches and genital warts. There are facilities built in to handle this problem.

Your logout link/button should point to a page containing this code, along with whatever else you want.

[vb.net]

Imports System.Web.Security

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) _
 Handles MyBase.Load
    Session.Abandon()
    FormsAuthentication.SignOut()
End Sub

[c#]

using System.Web.Security;

private void Page_Load(object sender, System.EventArgs e)
{
    // Put user code to initialize the page here
    Session.Abandon();
    FormsAuthentication.SignOut();
}

Code comes from this page and is valid but the page is hard on the eyes.

A good Question/Answer regarding backbutton behavior can be found here.

Update:

pursuant to the conversation I am having with Matthew, disabling caching on individual pages that are sensitive or volitile can be done with code such as follows:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

I am curious to know if it works for you as it does for me.

@Sky Sanders - Wait, didn't you tell someone in an answer below that Response.Cache.SetCacheability(HttpCacheability.NoCache) was him "losing his mind?". Regardless, I still like your answer — deebs, Jun 14 '16 at 20:24

score 3 · Answer 2 · answered Apr 21 '10 at 22:27

3

You can use javascript to disable the back button (typically by sending the user to a page that forwards to another page, so that clicking back sends you forward again). A persistent user can still go 2 steps back in history and step over the loop.

That page is in the browser's cache. You can ask the browser to not cache anything, but this will ruin performance, sometimes dramatically, so I wouldn't recommend it.

answered Apr 21 '10 at 22:27

MatthewMartin

32,326
33
105
164

1

Matthew, why suggest a hack when there is functionality built in to handle the problem? – Sky Sanders Apr 21 '10 at 22:33
Session.Abandon and FormsAuthentication.SignOut doesn't tell the browser to clear it's cache (and the browser and the proxies in between don't have to honor a no-cache header) The cached pages can still be loaded, and if a request is made from a page in client cache after the session is nixed, no telling what the result will be, probably NullReferenceExceptions as the page starts to check session variables (and a redirect to the logon page). – MatthewMartin Apr 21 '10 at 23:03
Then no-cache should be set discretely on sensitive or volatile pages that should not be resurrected. You can't control the client and trying just adds complexity. If they want to back 3 clicks into a 'page has expired' after logging out.. ?!?! more power to them. Anyway, I am not dogging you just sayin... p.s. use @sky to make sure I get responses to comments. – Sky Sanders Apr 22 '10 at 00:10
@Sky I'll test this tomorrow if I have time, but when my app went through security scanning (big company stuff), the code was already doing the sign out you suggested (and everyone should, don't get me wrong on that). So it was secure, but you could still navigate back and view pages in the cache. Also, if you tried to do a post back with one of these pages in the cache, you'd get sent to the password page (so it is secure), but on redirect back to the orig page, no telling if session would be there. To make it fairly hard to get back and repost with a stale page, we disabled the back button. – MatthewMartin Apr 22 '10 at 01:56
Cool. I added the code I use to prevent caching. I use this mostly for json handlers but should be applicable and effective. – Sky Sanders Apr 22 '10 at 02:09

score 1 · Answer 3 · edited Sep 28 '12 at 06:29

1

This code is very useful

Response.Cache.SetCacheability(HttpCacheability.NoCache);

Only put this code on load event, on the master pagen in case, but it only works for IE, for IE and Firefox I used

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

edited Sep 28 '12 at 06:29

Andrew Barber

39,603
20
94
123

answered Aug 22 '12 at 16:40

Michrl Castle

11
1

score 1 · Answer 4 · answered Dec 10 '13 at 07:14

Your Answer

A workaround to this is to add the following javascript code to the section of the logout.aspx page:

<script type="text/javascript">
 window.history.forward(1);
</script>

This javascript code will forward the user back if the user gets to the logout page by pressing the back button.

If you need to ensure the user has no way to get back to the pages after they logout you must ask the browser not to cache any of the pages by including code similar to the following on every page:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1)); 
Response.Cache.SetCacheability(HttpCacheability.NoCache); 
Response.Cache.SetNoStore();

score 0 · Answer 5 · edited Oct 04 '11 at 14:40

You can try using the HttpResponse.Cache property if that would help:

Response.Cache.SetExpires(DateTime.Now.AddSeconds(60));
Response.Cache.SetCacheability(HttpCacheability.Public);
Response.Cache.SetValidUntilExpires(false);
Response.Cache.VaryByParams["Category"] = true;

if (Response.Cache.VaryByParams["Category"])
{
//…
}

Or could could block caching of the page altogether with HttpResponse.CacheControl, but its been deprecated in favor of the Cache property above:

Response.CacheControl = “No-Cache”;

OR you could really go nuts and do it all by hand:

Response.ClearHeaders();
Response.AppendHeader(“Cache-Control”, “no-cache”); //HTTP 1.1
Response.AppendHeader(“Cache-Control”, “private”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “no-store”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “must-revalidate”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “max-stale=0″); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “post-check=0″); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “pre-check=0″); // HTTP 1.1
Response.AppendHeader(“Pragma”, “no-cache”); // HTTP 1.1
Response.AppendHeader(“Keep-Alive”, “timeout=3, max=993″); // HTTP 1.1
Response.AppendHeader(“Expires”, “Mon, 26 Jul 1997 05:00:00 GMT”); // HTTP 1.1

Reference

score 0 · Answer 6 · answered Jul 09 '18 at 12:26

The best work around is to place the following code in your master page. It avoids caching the pages and prevents user from accessing it after logging out.

P.S : The following codes are compilation from various sources. Posted it here so anybody looking for a solution might find it useful

Master.cs

protected void Page_Load(object sender, EventArgs e)
    {
        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore(); 

    }

Master.aspx

<a href="logout.aspx">Logout</span></a>

logout.cs

protected void Timer1_Tick(object sender, EventArgs e)
        {
            Session.Clear();
            Session.Abandon();


 Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore();

        try
        {
            Session.Abandon();
            FormsAuthentication.SignOut();
            Response.Cache.SetCacheability(HttpCacheability.NoCache);
            Response.Buffer = true;
            Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
            Response.Expires = -1000;
            Response.CacheControl = "no-cache";
            //Response.Redirect("login.aspx", true);
        }
        catch (Exception ex)
        {
            Response.Write(ex.Message);
        }
        Response.Redirect("Signin.aspx");
    }

logout.aspx

<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Text="Loggin Out Please Wait" runat="server" />
<asp:ScriptManager ID="ScriptManager1" runat="server">
</asp:ScriptManager>
<div>
    <asp:UpdatePanel ID="UpdatePanel1" runat="server">
        <ContentTemplate>
            <asp:Timer ID="Timer1" runat="server" Interval="1000" OnTick="Timer1_Tick">
            </asp:Timer>
        </ContentTemplate>
    </asp:UpdatePanel>
</div>

</div>
</form>

score -3 · Answer 7 · answered Apr 21 '10 at 22:30

-3

actually I found a solution, i added the following snippet to the master page's page load method.

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);

thanks for the reply anyways :)

answered Apr 21 '10 at 22:30

Eatdoku

6,569
13
63
98

7

Hey, turn around, I think you lost your mind somewhere... ;-p This is like trying to fix a watch with a sledgehammer. To put it kindly, this qualifies for a DWTF. Please reconsider. – Sky Sanders Apr 21 '10 at 22:32

ASP.NET authentication login and logout with browser back button

7 Answers7

Linked

Related