Reputation: 2103
MVC 4: Logout and Browser's "Back"-Function
When a user clicks "Logout", the following (standard) action is successfully called:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
WebSecurity.Logout();
return RedirectToAction("Login", "Account");
}
The user is redirected to the Login Page.
When clicking "Back" in the browser, though, the user is able to still see the last page where he/she was still logged in. If he/she then tries to perform an action, the user is successfully redirected to the login page because he is not authorized anymore.
Is there any way I can prevent a logged out user from seeing authorized stuff by clicking "Back" in the browser? Each of my controllers has the attribute [Authorize], already. Thank you for your input!
Upvotes: 0
Views: 7756
Answers (3)
Reputation: 2019
Yes, you can do that
You need to add a small javascript function into the master page or on .aspx page as per your need.
<script type="text/javascript">
window.history.forward();
function noBack() { window.history.forward(); }
</script>
and on page body you can add
<body onload="noBack();" onpageshow="if (event.persisted) noBack();" onunload="">
If user presses Back button on page, he will be sent to current page . as the history.forward code pushes the user back to current page. Thus user will not be able to go back.
Hope it will help.
Upvotes: 1
Reputation: 21191
Realistically, no, since what they're seeing is a cached version of the page in their browser. You could, I suppose, try to catch the back-navigation event with JavaScript, but I tend to find that practice highly annoying, and it's not all that hard to circumvent.
As you say, when the user attempts to perform any action, they are forced to authenticate again, so they really aren't seeing anything on a back-navigate that they weren't already privy to, so the real question is if there is justification for spending the time to fix what is likely a non-issue.
Upvotes: 2
Reputation: 14216
If you are using forms authentication then following is a answer for you.
Logout issue with browser back button
Upvotes: 0
Related Questions
- Logout still access to authorize page when click on browser back button
- Prevent user to go back after logout in asp.net mvc
- MVC 4 - back button issue after logout
- Logout issue with browser back button
- Using the browser's back button after SignOut() allows access to secure page (ASP.NET MVC)
- How can I expire the session on clicking the browser back button in asp.net
- Back button takes you back to authenticated page after logout
- ASP.NET MVC 3 Log Off
- ASP.NET MVC: Logging out in the view once called
- Disabling back button when user logs out