tags:

views:

137

answers:

3
+3  Q: 

Back arrow after signing out

I have an ASP.NET application using Forms Authentication. When the user clicks the Sign Out button on the page it runs the following code.

        FormsAuthentication.SignOut();
        Response.Expires = 0;
        Response.Cache.SetNoStore();
        Response.AppendHeader("Pragma", "no-cache");

However the user can still just press the back arrow and see the previous page without needing to log in again. I am sure it has something to do with the previous page being cached. How can I make sure they are prompted to log in again with going back?

A: 

And now you know why you get the message, "You've been logged out. Please close this browser window for security reasons."

No cache is a workaround.

The penultimate workaround is to use ajax to pull any sensitive information down - this would be run again in the back case, and the information should not be cached. It's more connections and more latency, but due to modern browser caching there's not much that can be done except workarounds such as these.

Adam Davis  2009-02-23 21:19:50
I don't get the message "You've been logged out. Please close this browser window for security reasons".
Craig  2009-02-23 21:21:37
Then you haven't programmed it in. In many software applications where security is needed, such as paypal, or outlook web access, you'll get that or a substantially similar message. You might look at what they are doing to prevent the back button from working. It's just HTTP.
Adam Davis  2009-02-23 21:24:52
+4  A:  
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Mehrdad Afshari  2009-02-23 21:28:45
Nice one. When I put this in the Page_Load of the master page it works. :-)
Craig  2009-02-23 21:35:18
A: 

While caching is not guaranteed, this works for me for the most part

    //Used for disabling page caching
    HttpContext.Current.Response.Cache.SetExpires(
      DateTime.UtcNow.AddDays(-1));
    HttpContext.Current.Response.Cache.SetValidUntilExpires(false);
    HttpContext.Current.Response.Cache.SetRevalidation(
      HttpCacheRevalidation.AllCaches);
    HttpContext.Current.Response.Cache.SetCacheability(
      HttpCacheability.NoCache);
    HttpContext.Current.Response.Cache.SetNoStore();

Run this in any page's OnInit() method (maybe by using a base class) on any page you don't want the users to be able to cache.

Be careful though, some pages may require you to allow caching such as doing file downloads on SSL pages etc.

I found this code somewhere, if I find the link I'll update the post.

TJB  2009-02-23 21:32:49

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps