In a normal web app w/ login and secure data, what is an easy way to secure that data and prevent it from being seen by using the browser's back button, once a user logs out?
views:
1603answers:
6Depends on your login solution (SSO - Windows Live / OpenID vs homegrown, where login info is stored, etc)... Since 'back' doesn't generally request the page again, I'd suggest clearing the forms in JavaScript (OnLoad). On the server side, you can then populate them (Page_Load). Clear your session and viewstate upon logoff.
Set the caching headers to disallow any caching of the page at all. This should prevent even the page itself from being shown when the user hits the back button unless they are logged in.
Here's a useful browser caching guide.
You want to set the cache-control and expiration date headers (setting a date in the past), e.g.
Cache-Control: no-cache
Expires: Fri, 31 Dec 1998 12:00:00 GMT
Cache control headers (Expires, Cache-Control, ETag) will generally prevent the caching of the page, forcing the browser to request a new copy at which point you can check the session status. They are sometimes ignored in the interests of "performance" though.
There are two Javascript approaches that could help you:
- Use the exit event from your page (onSubmit for forms or onUnload for other pages) to clear the content when leaving pages.
- Use document.location.replace() instead of normal links when moving between pages so as not to leave a trail in the browser history that the user could return to.
Both of these are likely to have a pretty horrid effect on usability though.
There is no perfect solution
Although there are some very reasonable solutions to this (cache control headers, javascript, etc), you need to realise that once you have sent something to a client, it is out of your control. You cannot guarantee that the client will treat the data in the way you would like.
For example:
- there could be a bug in a browser
- a browser might allow users to turn off cache control
- a user might be running with javascript disabled
Sorry :(
I have tried this VB.NET code on IE and Firefox.
Response.Cache.SetAllowResponseInBrowserHistory(False) Response.Cache.SetCacheability(HttpCacheability.NoCache) Response.Cache.SetNoStore() Response.Expires = 0
This does the trick, but I agree with the other answers where you can't guarantee what a client browser will behave.