Browser Back button problem

Discussion in 'ASP .Net Security' started by GMK, Feb 22, 2005.

  1. GMK

    GMK Guest

    Dear all
    I'm having a probelm concerning the security of my application.
    the problem is when a user is loggoed in and then he looged out i redirect
    him to the main page of my appkication but if he clicks on the Browser's
    "back button" he could then enter to the application.
    i'm removing all sessions concerning the applcation on logout but i would
    like to know how could i handle the "Back button click event" of the
    browser"

    Thanks in advance for your help/
     
    GMK, Feb 22, 2005
    #1
    1. Advertising

  2. GMK

    Scott M. Guest

    You can't handle the back button of the browser, since it is a client-side
    event. There are some alternatives though...

    You could check for a valid session on the page that could be "backed" into
    and if there isn't redirect the user to the logged out page.

    You could set the page being backed into to expire immediately, so that when
    a user backs into it, they get a page expired message, rather than the page.

    "GMK" <> wrote in message
    news:...
    > Dear all
    > I'm having a probelm concerning the security of my application.
    > the problem is when a user is loggoed in and then he looged out i redirect
    > him to the main page of my appkication but if he clicks on the Browser's
    > "back button" he could then enter to the application.
    > i'm removing all sessions concerning the applcation on logout but i would
    > like to know how could i handle the "Back button click event" of the
    > browser"
    >
    > Thanks in advance for your help/
    >
    >
     
    Scott M., Feb 22, 2005
    #2
    1. Advertising

  3. GMK

    Andy Fish Guest

    If the browser does not re-request the page when he uses the back button,
    and simply displays the cached page, (IE does this with the default
    settings) there is nothing you can do since no request is re-sent to the
    server when he clicks back.

    If the back button is requesting the page from the server and your app
    thinks he is logged in, it seems you are not doing a very good job of
    logging him out !! To log him out you should do this:

    Session.Clear();
    Session.Abandon();
    FormsAuthentication.SignOut();

    (assuming you are using forms authentication). Then when he clicks back, he
    will just see the login page.

    Andy

    "GMK" <> wrote in message
    news:...
    > Dear all
    > I'm having a probelm concerning the security of my application.
    > the problem is when a user is loggoed in and then he looged out i redirect
    > him to the main page of my appkication but if he clicks on the Browser's
    > "back button" he could then enter to the application.
    > i'm removing all sessions concerning the applcation on logout but i would
    > like to know how could i handle the "Back button click event" of the
    > browser"
    >
    > Thanks in advance for your help/
    >
    >
     
    Andy Fish, Feb 24, 2005
    #3
  4. Hi,

    I can see what you mean - but most likly this is the problem with the user's
    end browser, and not your app. As i am coming from PHP background, it was
    allways concidered a good programming style to disable any catching done by
    the browser / proxy server in HIGH security applications. What normally
    happens when the user presses back button is that the last page is brought
    up by the browser without even sending a request to server.

    However this generally can be fixed by using HTPP headers "Cache-Control:
    no-cache, must-revalidate" and "Pragma: no-cache". Since i'm only
    begginging ASP.NET i cannot help u with the name of the function that
    manages HTTP headers in .NET, but i can assure u that there is one. Also,
    do read more on Cache-Control: and Pragma: HTTP headers (Google it)

    HTH
    Nick Goloborodko
     
    Nick Goloborodko, Feb 25, 2005
    #4
  5. GMK

    Joerg Jooss Guest

    Nick Goloborodko wrote:

    > Hi,
    >
    > I can see what you mean - but most likly this is the problem with the
    > user's end browser, and not your app. As i am coming from PHP
    > background, it was allways concidered a good programming style to
    > disable any catching done by the browser / proxy server in HIGH
    > security applications. What normally happens when the user presses
    > back button is that the last page is brought up by the browser
    > without even sending a request to server.


    Which BTW is what the HTTP spec expects a browser to do.

    > However this generally can be fixed by using HTPP headers
    > "Cache-Control: no-cache, must-revalidate" and "Pragma: no-cache".
    > Since i'm only begginging ASP.NET i cannot help u with the name of
    > the function that manages HTTP headers in .NET, but i can assure u
    > that there is one. Also, do read more on Cache-Control: and Pragma:
    > HTTP headers (Google it)


    See System.Web.HttpCachePolicy or the @OutputCache directive.

    Cheers,
    --
    http://www.joergjooss.de
    mailto:
     
    Joerg Jooss, Feb 25, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    7,207
  2. sylvia sil
    Replies:
    1
    Views:
    651
    Curt_C [MVP]
    Dec 29, 2004
  3. Magnus
    Replies:
    1
    Views:
    617
    Brock Allen
    May 24, 2005
  4. Mr Newbie
    Replies:
    5
    Views:
    615
    Tim_Mac
    Jan 1, 2006
  5. Author
    Replies:
    6
    Views:
    3,257
    George
    Jan 22, 2009
Loading...

Share This Page