Reputation: 1112
Prevent a(signed out)user from viewing logged in member asp.net website pages by hitting the browser back button
scenario:
- User "a" logs in onto the website & gains access to member directory pages From A library Computer,
- User "a" logs out, leaves the browser open.
- User "b" starts to use the same computer, hits back button Sees User "a"'s member pages & information
- User "b" cannot do anything on pages but just view(will be redirected to login if they hit refresh for eg. User "b" being able to view at all a's data is a security hazard/bug.
Current code on log off :
Session.Contents.RemoveAll();
FormsAuthentication.SignOut();
Session.Abandon();
Response.Redirect("~/LogOff.aspx", false);
So how can i stop them from just hitting back on the browser to "view only" pages that they are no longer authenticated to view.
I understand that there is a way to switch off browser caching for the site
EG: Disabling browser caching for all browsers from ASP.NET
BUT would this interfere/be costly, as i have update panels for partial postbacks ?
are there any other alternatives to the problem i've described ?
Thanks
Upvotes: 3
Views: 343
Answers (2)
Reputation: 660
ok Session[""] != null is important thing, to see if thats null or no. but as there isnt any page_Load event, so this is the solution for this disable cache on master pages / content holder pages, the pages wont be stored in cache, and on pressing back button it will take you to the login scree, if it isnt logged inn
Copy these tags under head section
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="-1" />
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />
and copy this in code behind file.
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
Response.Cache.SetNoStore();
you will be good to go.
Upvotes: 0
Reputation: 33
I know a more primitive way for this. You should check activated user in page load of all pages, if current user is not an activated user you should redirect him/her to logof.aspx. It is not the best way but it used to work. I hope it would help you.
Upvotes: 1
Related Questions
- Logout still access to authorize page when click on browser back button
- ASP.NET authentication login and logout with browser back button
- Back button must not go to previous page after signing out
- Using the browser's back button after SignOut() allows access to secure page (ASP.NET MVC)
- How to prevent back button after LOGIN in asp.net?
- How to prevent user from going back to the login-page after successful login using back button
- Disable web browser back button after login in c# asp.net
- How to prevent logged out user from revisiting previous page using back button in asp .net?
- Resist User to go back after Login
- Is there a way to keep a page from rendering once a person has logged out but hit the "back" button?