can you prevent malicious use of browser back button in forms auth

[Danny]

Hi there,

Here is a scenario that I 've been asked to look into. Can anyone comment on this...

I have a Web App that uses forms authentication to secure sections. Say for example that a user is logged in and authenticated to use secure sections of site. User then proceeds to navigate to some site outside of the secure sections of the web app (could be any url) but forgets to log out then eventually gets up and walks away from their machine. Some other malicious user then comes along and presses the back button on their browser to see what forgetful user has been looking at.

I've been asked to somehow prevent that malicious user from being able to gain access to secure content if fogetful user didn't logout and the forms authentication timer on the auth cookie hasn't yet expired.

I'm really not sure if this is possible

 

[Wes Henderson]

Danny,

Try this in your Page_Load:
Response.Cache.SetCacheability(HttpCacheability.NoCache)

This will make it so that when they hit back, the pages aren't still there.

--
Regards,
Wes Henderson

In order to help everyone, please direct all replies to this newsgroup.
This posting is my personal effort to provide help and is not on behalf of
any company.
Also, this posting is provided "AS IS" with no expressed or implied
warranties.

Hi there,

Here is a scenario that I 've been asked to look into. Can anyone comment on this...

I have a Web App that uses forms authentication to secure sections. Say

for example that a user is logged in and authenticated to use secure
sections of site. User then proceeds to navigate to some site outside of the
secure sections of the web app (could be any url) but forgets to log out
then eventually gets up and walks away from their machine. Some other
malicious user then comes along and presses the back button on their browser
to see what forgetful user has been looking at.

I've been asked to somehow prevent that malicious user from being able to

gain access to secure content if fogetful user didn't logout and the forms
authentication timer on the auth cookie hasn't yet expired.

 

[Danny]

This does prevent cached pages from being viewed however it does not prevent the fact that a valid authentication cookie still exists on the client machine. Therefore, when the malicious user presses back, the secure pages are reloaded from the server using the forms authentication cookie that nice user accidently left lying around (without knowing it).

What I'm trying to ask here is how can you prevent a malicious user (inadvertently) making use of the forms authentication cookie that hasn't yet expired due to a timeout?