0

Currently my ASP.Net webform uses FormsAuthentication.SignOut(); Problem is this:

User goes to loginpage and logs in and gets redirected to page A

In page A he clicks on logout and gets redirected to

loginpage.

In login page load event I have FormsAuthentication.SignOut().

I assume this will destroy the authentication cookie.

But user can a still use browser's back button to go to the A page!

Is this accepted? and if not what the best way to fix

=============== I tried the following but still No luck:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

Question itself is duplicate but none of the provided answers in the other question works. So the is not a working answer.

Also these do not work:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore();
        FormsAuthentication.SignOut();
        Session.Abandon();

Also tried FormAthentcation.RedirectToLoginPage

Still back button works.

Update: I found a workaround but it will only work if the browser backbutton cause ANY form/page event be fire. Do you know if backbutton fires any form event?

S Nash
  • 2,363
  • 3
  • 34
  • 64
  • 1
    possible duplicate of [ASP.NET authentication login and logout with browser back button](http://stackoverflow.com/questions/2686946/asp-net-authentication-login-and-logout-with-browser-back-button) – Mike Cole Apr 17 '15 at 13:42
  • if you click back button you are going to Page A .once refresh the page and check whether it is page A or login page.In my opinion by clicking back button showing authenticated page is not at all Good Practice. – Ajay Apr 17 '15 at 13:45
  • But this seem to be pretty standard .look at gmail for example . if user logs out, and then click on back button , he stays on login page. – S Nash Apr 17 '15 at 13:58
  • 1
    @MikeCole "Worrying about the browser history and back button is going to give you headaches and genital warts" - lol – Aaron Apr 17 '15 at 14:30
  • @SNash have you looked at the answer here: http://stackoverflow.com/questions/16337149/how-to-clear-browser-cache-on-browser-back-button-click-in-mvc4 it's mentioned that you might have to do it at a certain event handler. – Paritosh Apr 17 '15 at 15:36
  • Yes but no lock . I put a breakpoint on every eventhandler in global.aspx. none of them get fired on pageback. – S Nash Apr 17 '15 at 15:53

1 Answers1

0

I spent hours trying to find an answer. To save time for the future person who is looking for an answer I write my findings.

Tried all of thsee :

        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore();
        FormsAuthentication.SignOut();
        Session.Abandon();

Also tried FormAthentcation.RedirectToLoginPage

Still back button works. The reason is backbutton does Not seem to fire any events.

Also tried adding meta tags but still no luck.

Based on my research the problem is all of these solutions try to get rid of cache but "Back Button in the browser does not use it".

The only working solution I found is java script:( it needs to be added to master page is you have it) 

       <script>
           function preventBack() { window.history.forward(); }
           setTimeout("preventBack()", 0);
           window.onunload = function () { null };
</script>
S Nash
  • 2,363
  • 3
  • 34
  • 64
  • very cludgy way to `preventdefault` like behavior for the Back button. Why not just `open new tab` and `close current tab`? – GoldBishop Jan 26 '18 at 17:37