Browser Back button problem

[GMK]

Dear all
I'm having a probelm concerning the security of my application.
the problem is when a user is loggoed in and then he looged out i redirect
him to the main page of my appkication but if he clicks on the Browser's
"back button" he could then enter to the application.
i'm removing all sessions concerning the applcation on logout but i would
like to know how could i handle the "Back button click event" of the
browser"

Thanks in advance for your help/

 

[Scott M.]

You can't handle the back button of the browser, since it is a client-side
event. There are some alternatives though...

You could check for a valid session on the page that could be "backed" into
and if there isn't redirect the user to the logged out page.

You could set the page being backed into to expire immediately, so that when
a user backs into it, they get a page expired message, rather than the page.

 

[Andy Fish]

If the browser does not re-request the page when he uses the back button,
and simply displays the cached page, (IE does this with the default
settings) there is nothing you can do since no request is re-sent to the
server when he clicks back.

If the back button is requesting the page from the server and your app
thinks he is logged in, it seems you are not doing a very good job of
logging him out !! To log him out you should do this:

Session.Clear();
Session.Abandon();
FormsAuthentication.SignOut();

(assuming you are using forms authentication). Then when he clicks back, he
will just see the login page.

Andy

 

[Nick Goloborodko]

Hi,

I can see what you mean - but most likly this is the problem with the user's
end browser, and not your app. As i am coming from PHP background, it was
allways concidered a good programming style to disable any catching done by
the browser / proxy server in HIGH security applications. What normally
happens when the user presses back button is that the last page is brought
up by the browser without even sending a request to server.

However this generally can be fixed by using HTPP headers "Cache-Control:
no-cache, must-revalidate" and "Pragma: no-cache". Since i'm only
begginging ASP.NET i cannot help u with the name of the function that
manages HTTP headers in .NET, but i can assure u that there is one. Also,
do read more on Cache-Control: and Pragma: HTTP headers (Google it)

HTH
Nick Goloborodko

 

[Joerg Jooss]

Hi,

I can see what you mean - but most likly this is the problem with the
user's end browser, and not your app. As i am coming from PHP
background, it was allways concidered a good programming style to
disable any catching done by the browser / proxy server in HIGH
security applications. What normally happens when the user presses
back button is that the last page is brought up by the browser
without even sending a request to server.

Which BTW is what the HTTP spec expects a browser to do.

However this generally can be fixed by using HTPP headers
"Cache-Control: no-cache, must-revalidate" and "Pragma: no-cache".
Since i'm only begginging ASP.NET i cannot help u with the name of
the function that manages HTTP headers in .NET, but i can assure u
that there is one. Also, do read more on Cache-Control: and Pragma:
HTTP headers (Google it)

See System.Web.HttpCachePolicy or the @OutputCache directive.

Cheers,