How to prevent user from going back to the login-page after successful login using back button

I am working on an MVC3 application and is stuck with a login security issue. The scenario is when a user logs-in with his/her username and password, if correct, he/she will be redirected to their homepage.

But if they click on the browser back button, they go back to the Login-page which in my case, I do not want. It’s same like facebook, gmail etc. where once a user logs in with his/her credentials, they cannot go back to the login-page simply by clicking the back button of the browser.

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You can use javascript that checks for cookie you’ll give after successfull login. the js will check it onpage load and redirect to non-login page if the cookie exists. there are also other methods to do that as desctibed in:
here

Method 2

you need to expire cache and headers, here is what i use:

  <% HttpContext.Current.Response.Cache.SetAllowResponseInBrowserHistory(false);
   HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
   HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
   HttpContext.Current.Response.Cache.SetValidUntilExpires(false);
   HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
   HttpContext.Current.Response.Cache.SetNoStore();
   Response.Cache.SetExpires(DateTime.Now);
   System.Web.HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
   Response.Cache.SetValidUntilExpires(true);
   Response.Buffer = true;
   Response.ExpiresAbsolute = DateTime.Now.Subtract(new TimeSpan(1, 0, 0, 0));
   Response.Expires = 0;
   Response.CacheControl = "no-cache";
   Response.Cache.SetExpires(DateTime.UtcNow.AddYears(-4)); 
   Response.ExpiresAbsolute = DateTime.Now.Subtract(new TimeSpan(1, 0, 0, 0));
   Response.AppendHeader("Pragma", "no-cache");
   Response.Cache.AppendCacheExtension("must-revalidate, proxy-revalidate, post-check=0, pre-check=0");
%>  
<script language="javascript" type="text/javascript">
    window.onbeforeunload = function () {
        // This function does nothing.  It won't spawn a confirmation dialog   
        // But it will ensure that the page is not cached by the browser.
    }  
</script>

Add this in page head and the next time user try to go back it will request new page load.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0