tags:

views:

421

answers:

5
+5  Q: 

How can we stop web page view after signout using browser back

Hi All,

I am having web site in ASP.NET. We have two type of login 1. Users 2. Administrator

I am facing following problem during testing

Problem statement: Suppose i loggedin by user login and surf all pages, let say at any page of user i click on logout button, it will redirect me at login page.

Now the problem comes when i use browser back, it shows me user's page But in actual i should not able to view that page after logout.

My functionality is proper because if i click on page after logout it will again redirect me at login page, but my problem is i should not land on userpage using browser back after logout. [As happens in Google and Yahoo]

Same is happening with Admin login.

Please help me to sort out the problems.

+1  A: 

You must disable cache.

public void Page_Load()
{
Response.Cache.SetCacheability(HttpCacheability.NoCache) 
...
}
bniwredyc  2009-09-25 09:45:56
A: 

How do you login/logout? a proper way of doing this is to save the user info into a session on login and clear that session on logout in every page's PageLoad method test if the session has valid infos or no, if not stop the page load. this way, when the user logout and click on back the session should be empty and it wont load, and you can then redirect to the login page. reply if you need some code

Kheu  2009-09-25 09:46:00
+3  A: 

The problelm is the pages you can press back to have been cached. You can instruct your browser to ALWAYS fetch the pages from the server every time.

You will need to generate all of the following headers:

Pragma: no-cache
Cache-Control: max-age=1
Expires: Tue, 1 May 1985 01:10:00 GMT

The problem is not all browsers support all options so you have to include all of these headers to ensure all browsers don't cache your pages.

The other reason for needing all of these headers, is that in some cases even if the web browser is respecting the expires headers, there can be a misconfigured proxy server between you and the user that is still caching the pages.

In ASP you probably want to do something like this:

public void Page_Load() {
    Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
    Response.Expires = -1500;
    Response.CacheControl = "no-cache";
    Response.Cache.SetETag(randomString);
}
Jacob  2009-09-25 09:46:02
I used to have this same problem. Using a random etag header also helps. Ie tag the page as a new resource for every download.
 2009-09-25 09:54:19
Thanks,Can you help me, how can i generate above mentioned characters? Specially in ASP.NET
Hemant Kothiyal  2009-09-25 10:03:15
I have master page for my aspx. The logout link is available in master page.Is it necessary to write above line of code inside master and aspx both? Does it works if i only write them inside master page?What is right approach?
Hemant Kothiyal  2009-09-26 06:58:19
Your aspx page is a web CONTENT form that will be wrapped by the master page. So it depends where you place the code. If you want to disable the caching just for that specific page, you'd place it in the aspx page load, otherwise you can place it also inside the codebehind of your master page, having the effect that it will hold for all pages of your application.
Juri  2009-09-26 09:41:35
You should turn of caching for all dynamic pages. ie You any page you don't want the web browser showing old/out dated information.
Jacob  2009-09-26 14:49:12
+1  A: 

You have to set the following I guess

Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

This will cause your page to post back also when the user presses the back button and so you're able to check whether he's still logged in and in case redirect him to some other place.

Juri  2009-09-25 09:50:11
Where should i write above lines of code?
Hemant Kothiyal  2009-09-25 10:15:08
puh didn't try it out now, but I would place it in the PageLoad of Page where you need to check whether the user is logged in. Basically the page which will get displayed after the user clicks the back button on some other page.
Juri  2009-09-25 10:25:44
At least put a comment if you downvote...
Juri  2009-09-26 09:40:50
This only prevents the problem in most cases. Ive seen client sites where things were cached until unique/random etag's were also generated. Caused by really badly configured proxy servers.
Jacob  2009-09-26 14:53:11
+1  A: 

Take a look at http://stackoverflow.com/questions/1286932/disabling-back-button-of-browser-on-logout-click-like-yahoo-gmail-etc-for-securit

Quamis  2009-09-25 10:16:28

related questions

Make Browser Window Blink in Task Bar
Large File Download
Browser's Default CSS
Disable browser 'Save Password' functionality
What's the simplest way to decremement a date in Javascript by 1 day?
Browser scrollbar
Limitations of screen readers.
Version detection with Silverlight
Best way to fix CSS/JS drop-down problem in IE7 when page includes Google Map
Recommendations for browser add-on tools to help with development
Hyperlinks displaced on IE7
Building Standalone Applications in JavaScript
HTML differences between browsers
Browser Sync accross many machines
Getting selected text in a browser, cross-platform.
How to get PNG transparency working in browsers that don't natively support it?
Best WYSIWYG CSS editor?
Javascript events
Preferred way to use favicons?
IE6: To support or not to support.
Getting the text from a drop-down box
Other browsers
Drag and Drop to a hosted Browser control
How can I tell if a web client is blocking ads?
How can I determine a web user's time zone?