ASP.NET authentication login and logout with browser back button

I am looking for a solution for user use the browser’s back button to navigate to previous page once logged out.

I have a web application build in asp.net and using a custom membership provider for authentication and authorization. Everything works fine except when the user click on the logout link to log out of the application and being redirect to a default cover page, if the use click on the BACK BUTTON on their browser, it will actually go back to where they were before and the data will still show up.

Of course they can’t do anything on that page, click on anything link they will be redirect to a login page again. But having those information display is making a lot users confused.

i am just wondering if there is any way i can either clear the browser’s history so use can’t go BACK, or when they click on the back button and have them redirect to the login page.

thanks

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Worrying about the browser history and back button is going to give you headaches and genital warts. There are facilities built in to handle this problem.

Your logout link/button should point to a page containing this code, along with whatever else you want.
[vb.net]

Imports System.Web.Security

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) _
 Handles MyBase.Load
    Session.Abandon()
    FormsAuthentication.SignOut()
End Sub

[c#]

using System.Web.Security;

private void Page_Load(object sender, System.EventArgs e)
{
    // Put user code to initialize the page here
    Session.Abandon();
    FormsAuthentication.SignOut();
}

Code comes from this page and is valid but the page is hard on the eyes.

A good Question/Answer regarding backbutton behavior can be found here.

Update:

pursuant to the conversation I am having with Matthew, disabling caching on individual pages that are sensitive or volitile can be done with code such as follows:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

I am curious to know if it works for you as it does for me.

Method 2

You can use javascript to disable the back button (typically by sending the user to a page that forwards to another page, so that clicking back sends you forward again). A persistent user can still go 2 steps back in history and step over the loop.

That page is in the browser’s cache. You can ask the browser to not cache anything, but this will ruin performance, sometimes dramatically, so I wouldn’t recommend it.

Method 3

This code is very useful

Response.Cache.SetCacheability(HttpCacheability.NoCache);

Only put this code on load event, on the master pagen in case, but it only works for IE, for IE and Firefox I used

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

Method 4

Your Answer

A workaround to this is to add the following javascript code to the section of the logout.aspx page:

<script type="text/javascript">
 window.history.forward(1);
</script>

This javascript code will forward the user back if the user gets to the logout page by pressing the back button.

If you need to ensure the user has no way to get back to the pages after they logout you must ask the browser not to cache any of the pages by including code similar to the following on every page:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1)); 
Response.Cache.SetCacheability(HttpCacheability.NoCache); 
Response.Cache.SetNoStore();

Method 5

You can try using the HttpResponse.Cache property if that would help:

Response.Cache.SetExpires(DateTime.Now.AddSeconds(60));
Response.Cache.SetCacheability(HttpCacheability.Public);
Response.Cache.SetValidUntilExpires(false);
Response.Cache.VaryByParams["Category"] = true;

if (Response.Cache.VaryByParams["Category"])
{
//…
}

Or could could block caching of the page altogether with HttpResponse.CacheControl, but its been deprecated in favor of the Cache property above:

Response.CacheControl = “No-Cache”;

OR you could really go nuts and do it all by hand:

Response.ClearHeaders();
Response.AppendHeader(“Cache-Control”, “no-cache”); //HTTP 1.1
Response.AppendHeader(“Cache-Control”, “private”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “no-store”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “must-revalidate”); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “max-stale=0″); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “post-check=0″); // HTTP 1.1
Response.AppendHeader(“Cache-Control”, “pre-check=0″); // HTTP 1.1
Response.AppendHeader(“Pragma”, “no-cache”); // HTTP 1.1
Response.AppendHeader(“Keep-Alive”, “timeout=3, max=993″); // HTTP 1.1
Response.AppendHeader(“Expires”, “Mon, 26 Jul 1997 05:00:00 GMT”); // HTTP 1.1

Reference

Method 6

The best work around is to place the following code in your master page. It avoids caching the pages and prevents user from accessing it after logging out.

P.S : The following codes are compilation from various sources. Posted it here so anybody looking for a solution might find it useful

Master.cs

protected void Page_Load(object sender, EventArgs e)
    {
        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore(); 

    }

Master.aspx

<a href="logout.aspx" rel="nofollow noreferrer noopener">Logout</span></a>

logout.cs

protected void Timer1_Tick(object sender, EventArgs e)
        {
            Session.Clear();
            Session.Abandon();


 Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore();

        try
        {
            Session.Abandon();
            FormsAuthentication.SignOut();
            Response.Cache.SetCacheability(HttpCacheability.NoCache);
            Response.Buffer = true;
            Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
            Response.Expires = -1000;
            Response.CacheControl = "no-cache";
            //Response.Redirect("login.aspx", true);
        }
        catch (Exception ex)
        {
            Response.Write(ex.Message);
        }
        Response.Redirect("Signin.aspx");
    }

logout.aspx

<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Text="Loggin Out Please Wait" runat="server" />
<asp:ScriptManager ID="ScriptManager1" runat="server">
</asp:ScriptManager>
<div>
    <asp:UpdatePanel ID="UpdatePanel1" runat="server">
        <ContentTemplate>
            <asp:Timer ID="Timer1" runat="server" Interval="1000" OnTick="Timer1_Tick">
            </asp:Timer>
        </ContentTemplate>
    </asp:UpdatePanel>
</div>

</div>
</form>

Method 7

actually I found a solution, i added the following snippet to the master page’s page load method.

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);

thanks for the reply anyways 🙂


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x