tags:

views:

1256

answers:

3
+4  Q: 

ASP.NET authentication login and logout with browser back button

Hi,

I am looking for a solution for user use the browser's back button to navigate to previous page once logged out.

I have a web application build in asp.net and using a custom membership provider for authentication and authorization. Everything works fine except when the user click on the logout link to log out of the application and being redirect to a default cover page, if the use click on the BACK BUTTON on their browser, it will actually go back to where they were before and the data will still show up.

Of course they can't do anything on that page, click on anything link they will be redirect to a login page again. But having those information display is making a lot users confused.

i am just wondering if there is any way i can either clear the browser's history so use can't go BACK, or when they click on the back button and have them redirect to the login page.

thanks

+1  A: 

Worrying about the browser history and back button is going to give you headaches and genital warts. There are facilities built in to handle this problem.

Your logout link/button should point to a page containing this code, along with whatever else you want.

[vb.net]

Imports System.Web.Security

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) _
 Handles MyBase.Load
    Session.Abandon()
    FormsAuthentication.SignOut()
End Sub

[c#]

using System.Web.Security;

private void Page_Load(object sender, System.EventArgs e)
{
    // Put user code to initialize the page here
    Session.Abandon();
    FormsAuthentication.SignOut();
}

Code comes from this page and is valid but the page is hard on the eyes.

A good Question/Answer regarding backbutton behavior can be found here.

Update:

pursuant to the conversation I am having with Matthew, disabling caching on individual pages that are sensitive or volitile can be done with code such as follows:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

I am curious to know if it works for you as it does for me.

Sky Sanders  2010-04-21 22:25:52
+1  A: 

You can use javascript to disable the back button (typically by sending the user to a page that forwards to another page, so that clicking back sends you forward again). A persistent user can still go 2 steps back in history and step over the loop.

That page is in the browser's cache. You can ask the browser to not cache anything, but this will ruin performance, sometimes dramatically, so I wouldn't recommend it.

MatthewMartin  2010-04-21 22:27:49
Matthew, why suggest a hack when there is functionality built in to handle the problem?
Sky Sanders  2010-04-21 22:33:46
Session.Abandon and FormsAuthentication.SignOut doesn't tell the browser to clear it's cache (and the browser and the proxies in between don't have to honor a no-cache header) The cached pages can still be loaded, and if a request is made from a page in client cache after the session is nixed, no telling what the result will be, probably NullReferenceExceptions as the page starts to check session variables (and a redirect to the logon page).
MatthewMartin  2010-04-21 23:03:28
Then no-cache should be set discretely on sensitive or volatile pages that should not be resurrected. You can't control the client and trying just adds complexity. If they want to back 3 clicks into a 'page has expired' after logging out.. ?!?! more power to them. Anyway, I am not dogging you just sayin... p.s. use @sky to make sure I get responses to comments.
Sky Sanders  2010-04-22 00:10:36
@Sky I'll test this tomorrow if I have time, but when my app went through security scanning (big company stuff), the code was already doing the sign out you suggested (and everyone should, don't get me wrong on that). So it was secure, but you could still navigate back and view pages in the cache. Also, if you tried to do a post back with one of these pages in the cache, you'd get sent to the password page (so it is secure), but on redirect back to the orig page, no telling if session would be there. To make it fairly hard to get back and repost with a stale page, we disabled the back button.
MatthewMartin  2010-04-22 01:56:21
Cool. I added the code I use to prevent caching. I use this mostly for json handlers but should be applicable and effective.
Sky Sanders  2010-04-22 02:09:22
A: 

Hi,

actually I found a solution, i added the following snippet to the master page's page load method. 

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);

thanks for the reply anyways :)

Eatdoku  2010-04-21 22:30:06
Hey, turn around, I think you lost your mind somewhere... ;-p This is like trying to fix a watch with a sledgehammer. To put it kindly, this qualifies for a DWTF. Please reconsider.
Sky Sanders  2010-04-21 22:32:12
alright!!...let me give it a try again :)
Eatdoku  2010-04-21 23:38:10

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps