My site has a master page, that part of it is a login section. Some of the content pages can be viewed by all visitors, including guests, while others are subject to security level. After logging out, I want to prevent the user from pressing the back button on the browser. If possible, showing a Page Expired form.
A:
Well what you should be doing is applying the PRG (Post-Redirect-Get) pattern.
After logging out, redirect to another page (like the homepage).
So if the user presses the back button, they will be taken back to the Logout page (and redirected again).
That's my opinion.
But if you want to try and display the Expired Page, you could try adding this to the code on your Logout.aspx page (prior to Redirect).
// Warning: Untested
Response.Cache.SetExpires(DateTime.Now.AddDays(-1))
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetValidUntilExpires(false)
RPM1984
2010-10-19 23:23:32
As I've mentioned, there is no logout (or login) page. The login/logout is a section of the masterpage.
Guy
2010-10-19 23:31:23
Yes i realise there is no "Logout Page", but people normally have a "logout" link/button, which posts/redirects to Logout.aspx (just a 'staging' page - no markup), which performs the logout in the code-behind then redirects. What does your logout link/button do then? You don't actually 'see' the Logout.aspx page - it's purpose is to perform a graceful logout mechanism.
RPM1984
2010-10-19 23:34:32
Currently my logout button removes the session parameters that the login button created and redirects to the start content page
Guy
2010-10-19 23:40:58
Right. So let's be clear here, you are using Cookie-less Forms Authentication? That is, the session is stored as part of the querystring in the url?
RPM1984
2010-10-19 23:44:23
No. I'm probably missing something here, being a newbie and all, but on loggin I'm creating session variables in this form: Session["UserName"] = curUser.UserName
Guy
2010-10-19 23:49:28
Yes, that's fine - but that's seperate to "authentication". In your web.config, what do you have for `<authentication mode=???>`. Most likely you will be using "Forms", if that's the case you shouldn't be storing UserName in Session, it should be handled by FormsAuthentication. Take a look on www.asp.net for more info.
RPM1984
2010-10-19 23:57:02
Actually, I haven't used any authentication in my web.config. See, the way the project is designed, you can only get to member allowed forms through menu entries. All the other forms (the ones displayed when the site loads) are available to everyone. So, according to the user's member level, I show the relevant menu entries or none of them if he's not logged in.
Guy
2010-10-20 00:05:41
Okay, so you're using your own custom authentication scheme, that's fine (for non-security-essential apps).
RPM1984
2010-10-20 00:07:41
Which returns me to my initial question. When a user logs off, how do you prevent him from going back ?
Guy
2010-10-20 00:11:27
You cant prevent the "back" button, you can only put in measures on your pages to prevent this kind of unwanted behaviour. One is PRG (which i mentioned, but you cannot really use by the sounds of it). Another is the expires header. But i have never used the latter (havent needed to), so im not sure how much help i can be.
RPM1984
2010-10-20 00:33:23
+2
A:
Add Expires meta tag to the pages if you don't want back functionality.
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
Or alternately in ASP.NET
<%@ OutputCache location="none" %>
Faheem
2010-10-19 23:23:46