Possible Duplicate:
Disable browser's back button
How can I disable a browsers back button, in an asp.net mvc project. Can I use java script for this ? or is there any other ways to do this ?
views:
132answers:
5
+4
A:
This has often been discussed on countless threads, the most exhaustive article is here and why it always will not work.
RandomNoob
2010-08-31 17:12:02
+1
A:
I would have to assume it is impossible. That would be a big security issue on most browsers. I don't even remember in IE4 when the most extreme things were allows, you being able to do it.
Anthony Greco
2010-08-31 17:12:20
I don't understand how it would be a "security" issue. A usability issue, yes. How can a website's security rely on a user having the ability to use the back button?
Matthew
2010-08-31 17:25:51
@Matthew: I'm sure *someone* would find a nasty way to exploit it... ;)
FrustratedWithFormsDesigner
2010-08-31 17:42:47
@Matthew: site could check referral URL (e.g. bankofamerica.com) and halt operation on back press, replacing the current page with a bankofamerica phishing site. I'd bet good money somebody would be fooled by this.
treeface
2010-08-31 17:58:03
@treeface If you are on bankofamerica.com it's going to be using a secure connection. "If a website is accessed from a HTTP Secure connection and a link points to a non-secure connection, then the referrer header is not sent" - http://en.wikipedia.org/wiki/HTTP_referrer.Not to mention I'm sure bankofamerica.com takes great care in the websites they link to.
Matthew
2010-08-31 18:13:38
Sure, of course, but you get the idea. Things can be faked. A better example might be something like reddit or stackoverflow linking to some website. On back the malicious site fakes a login page.
treeface
2010-08-31 18:15:17
@treeface, alright, but actually disabling the back button wouldn't be a security issue (as I've understood so far). Also, the things you've mentioned would mean the website would be able to "know" that the back button was pressed which (I believe) isn't possible.
Matthew
2010-08-31 18:29:30
Indeed you are correct. I suppose I was presenting a (presumably) fictional alternate universe where a browser had granted not only access to disable the back button but also an event to detect it. I took the question more as: "is there an event in javascript that detects the back button being pressed for which you can return false, killing the normal execution of the event?", and in this context, perhaps you can see what I was getting at. Specifically disabling the back button presents no real security issue (as far as I can tell), but it does present a very real UI consistency issue.
treeface
2010-08-31 18:36:17
I did not mean someone was going to be able to use it to exploit the system, i meant it would allow users to confuse and make the browser in a way not expected or wanted by the user. Lets say i click to www.blah.com and now want to go back. To disable it is surely not what I want. Talk to some people who have no clue about a computer. The second they see their Back button not work they will assume they have a virus or are being hacked. To them it's a security issue.
Anthony Greco
2010-08-31 23:16:21
And for the link issues there's plenty of examples of how to do this. Example would be a lot of sites, including AOL.com used to have URL's like site.dhtml?msg=BLAH where u could inject HTML into msg. Now a meta redirect injected to a fake phish site is a perfect situation explaining a security issue. Especially since my mother, who has used a computer since I have (15 years) has no clue what HTTP or HTTPS is.
Anthony Greco
2010-08-31 23:18:17
A:
I don't think that you can disable the back button, althought there are some "techniques" like those described in this site: http://www.htmlgoodies.com/tutorials/buttons/article.php/3478911/Disabling-the-Back-Button.htm
tehsis
2010-08-31 17:13:00
A:
It is not possible to the disable the BACK button of the browser, but if you don't want the user to go back to a previous page then you can add this javascript function to your page:
<script language="javascript">
function DisableBackButton()
{
history.forward();
}
</script>
And call this function in body only..
Like
<form id="form1" runat="server">
<script language="javascript">DisableBackButton();</script>
---your page design----------
</form>
dvanaria
2010-08-31 17:13:16
+3
A:
A website should not try to cripple the browser, but instead should work inside the browser-page system of the web. There are good reason for not wanting the user to click back (re-POSTing data, especially financial transactions and the like), but rather than forcing them not to, your website should handle these gracefully. Using a good framework like .NET leaves you a lot of great options for keeping your site stateful even amid the stateless web. Write your code to fit the browser, don't make the browser fit your code (like the ridiculous no-right-click javascripts of yesteryear).
That said, thankfully there is no way to do this, and even if there were, it could always be disabled on the client side.
Chet
2010-08-31 17:17:30