ASP.NET authentication login and logout with browser back button

I am looking for a solution for user use the browser's back button to navigate to previous page once logged out.

I have a web application build in asp.net and using a custom membership provider for authentication and aut开发者_如何转开发horization. Everything works fine except when the user click on the logout link to log out of the application and being redirect to a default cover page, if the use click on the BACK BUTTON on their browser, it will actually go back to where they were before and the data will still show up.

Of course they can't do anything on that page, click on anything link they will be redirect to a login page again. But having those information display is making a lot users confused.

i am just wondering if there is any way i can either clear the browser's history so use can't go BACK, or when they click on the back button and have them redirect to the login page.

thanks

---

Worrying about the browser history and back button is going to give you headaches and genital warts. There are facilities built in to handle this problem.

Your logout link/button should point to a page containing this code, along with whatever else you want.

[vb.net]

Imports System.Web.Security

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) _
 Handles MyBase.Load
    Session.Abandon()
    FormsAuthentication.SignOut()
End Sub

[c#]

using System.Web.Security;

private void Page_Load(object sender, System.EventArgs e)
{
    // Put user code to initialize the page here
    Session.Abandon();
    FormsAuthentication.SignOut();
}

Code comes from this page and is valid but the page is hard on the eyes.

A good Question/Answer regarding backbutton behavior can be found here.

Update:

pursuant to the conversation I am having with Matthew, disabling caching on individual pages that are sensitive or volitile can be done with code such as follows:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

I am curious to know if it works for you as it does for me.

---

You can use javascript to disable the back button (typically by sending the user to a page that forwards to another page, so that clicking back sends you forward again). A persistent user can still go 2 steps back in history and step over the loop.

That page is in the browser's cache. You can ask the browser to not cache anything, but this will ruin performance, sometimes dramatically, so I wouldn't recommend it.

---

This code is very useful

Response.Cache.SetCacheability(HttpCacheability.NoCache);

Only put this code on load event, on the master pagen in case, but it only works for IE, for IE and Firefox I used

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

---

Your Answer

A workaround to this is to add the following javascript code to the section of the logout.aspx page:

<script type="text/javascript">
 window.history.forward(1);
</script>

This javascript code will forward the user back if the user gets to the logout page by pressing the back button.

If you need to ensure the user has no way to get back to the pages after they logout you must ask the browser not to cache any of the pages by including code similar to the following on every page:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1)); 
Response.Cache.SetCacheability(HttpCacheability.NoCache); 
Response.Cache.SetNoStore(); 

---

You can try using the HttpResponse.Cache property if that would help:

Response.Cache.SetExpires(DateTime.Now.AddSeconds(60));
Response.Cache.SetCacheability(HttpCacheability.Public);
Response.Cache.SetValidUntilExpires(false);
Response.Cache.VaryByParams["Category"] = true;

if (Response.Cache.VaryByParams["Category"])
{
//…
}

Or could could block caching of the page altogether with HttpResponse.CacheControl, but its been deprecated in favor of the Cache property above:

Response.CacheControl = “No-Cache”;

OR you could really go nuts and do it all by hand:

Response.ClearHeaders();
Response.AppendHeader(“Cache-Control”, “no-cache”); //HTTP 1.1
Response.AppendHeader(“Cache-Control”, “private”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “no-store”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “must-revalidate”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “max-stale=0″); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “post-check=0″); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “pre-check=0″); // HTTP 1.1
Response.AppendHeader(“Pragma”, “no-cache”); // HTTP 1.1
Response.AppendHeader(“Keep-Alive”, “timeout=3, max=993″); // HTTP 1.1
Response.AppendHeader(“Expires”, “Mon, 26 Jul 1997 05:00:00 GMT”); // HTTP 1.1

Reference

---

The best work around is to place the following code in your master page. It avoids caching the pages and prevents user from accessing it after logging out.

P.S : The following codes are compilation from various sources. Posted it here so anybody looking for a solution might find it useful

Master.cs

protected void Page_Load(object sender, EventArgs e)
    {
        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore(); 

    }

Master.aspx

<a href="logout.aspx">Logout</span></a>

logout.cs

protected void Timer1_Tick(object sender, EventArgs e)
        {
            Session.Clear();
            Session.Abandon();


 Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore();

        try
        {
            Session.Abandon();
            FormsAuthentication.SignOut();
            Response.Cache.SetCacheability(HttpCacheability.NoCache);
            Response.Buffer = true;
            Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
            Response.Expires = -1000;
            Response.CacheControl = "no-cache";
            //Response.Redirect("login.aspx", true);
        }
        catch (Exception ex)
        {
            Response.Write(ex.Message);
        }
        Response.Redirect("Signin.aspx");
    }

logout.aspx

<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Text="Loggin Out Please Wait" runat="server" />
<asp:ScriptManager ID="ScriptManager1" runat="server">
</asp:ScriptManager>
<div>
    <asp:UpdatePanel ID="UpdatePanel1" runat="server">
        <ContentTemplate>
            <asp:Timer ID="Timer1" runat="server" Interval="1000" OnTick="Timer1_Tick">
            </asp:Timer>
        </ContentTemplate>
    </asp:UpdatePanel>
</div>

</div>
</form>

---

actually I found a solution, i added the following snippet to the master page's page load method.

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);

thanks for the reply anyways :)