Disabling Back button of Browser on Logout click like Yahoo,Gmail etc for Security

Question

First, I am setting the session variable as Session["SessionId"] in the globle.asax file as below:-

void Session_Start(object sender, EventArgs e) 
{
  // Code that runs when a new session is started
  string sessionId = Session.SessionID;
  Session["SessionId"] = "true";
}

I am using this code in the page_load() event of master page:-

Response.Buffer = true;
Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
Response.Expires = -1500;
Response.CacheControl = "no-cache";

if(Session["SessionId"] == null)
{
  Response.Redirect("PatientLoginPage.aspx");
}

and using Firefox as my default brower, but it is not working in it as well as Chrome broweser correct me if i am wrong please help me...

Thanks in advance,

vaibhav D.

Answer 1

Session_Start will be called each time a session is started - so even if you're calling Session.Abandon() in your logout code, as soon as the user hits a new page, Session_Start will be fired (as it looks like a new session), and Session["SessionId"] will no longer be null, and will be set back to "true" again.

I think Misquamaqus has the right answer about how to go about "disabling" the back button, but this should help resolve the issue in your master page..

Answer 2

If i'm not mistaken, Gmail and Yahoo use 2 redirects when logging out, so when you click "back" you actually go back to a bogus page, not the one before you logged out. Try to to the same.

Also the type of redirect used might affect the browser history or not (i'm reffering here to redirect from the http headers or a redirect from a simple javascript).

Try to experiment a littpe with this info and a bogus "proxy" page, that acts as an intermediate between the mode "loggen in" and the "logged out" mode