Reputation: 1158
easiest way to prevent the back button of your browser from showing secure data after a user logs out?
In a normal web app w/ login and secure data, what is an easy way to secure that data and prevent it from being seen by using the browser's back button, once a user logs out?
Upvotes: 13
Views: 11090
Answers (6)
Reputation:
I have tried this VB.NET code on IE and Firefox.
Response.Cache.SetAllowResponseInBrowserHistory(False) Response.Cache.SetCacheability(HttpCacheability.NoCache) Response.Cache.SetNoStore() Response.Expires = 0
This does the trick, but I agree with the other answers where you can't guarantee what a client browser will behave.
Upvotes: 1
Reputation: 19865
Here's a useful browser caching guide.
You want to set the cache-control and expiration date headers (setting a date in the past), e.g.
Cache-Control: no-cache
Expires: Fri, 31 Dec 1998 12:00:00 GMT
Upvotes: 5
Reputation: 13761
There is no perfect solution
Although there are some very reasonable solutions to this (cache control headers, javascript, etc), you need to realise that once you have sent something to a client, it is out of your control. You cannot guarantee that the client will treat the data in the way you would like.
For example:
- there could be a bug in a browser
- a browser might allow users to turn off cache control
- a user might be running with javascript disabled
Sorry :(
Upvotes: 3
Reputation: 18705
Cache control headers (Expires, Cache-Control, ETag) will generally prevent the caching of the page, forcing the browser to request a new copy at which point you can check the session status. They are sometimes ignored in the interests of "performance" though.
There are two Javascript approaches that could help you:
- Use the exit event from your page (onSubmit for forms or onUnload for other pages) to clear the content when leaving pages.
- Use document.location.replace() instead of normal links when moving between pages so as not to leave a trail in the browser history that the user could return to.
Both of these are likely to have a pretty horrid effect on usability though.
Upvotes: 3
Reputation: 363
Set the caching headers to disallow any caching of the page at all. This should prevent even the page itself from being shown when the user hits the back button unless they are logged in.
Upvotes: 1
Reputation: 8037
Depends on your login solution (SSO - Windows Live / OpenID vs homegrown, where login info is stored, etc)... Since 'back' doesn't generally request the page again, I'd suggest clearing the forms in JavaScript (OnLoad). On the server side, you can then populate them (Page_Load). Clear your session and viewstate upon logoff.
Upvotes: 0
Related Questions
- Prevent user from seeing previously visited secured page after logout
- Stopping the back button from exposing secure pages?
- How to prevent user loging in after log out on pressing back button
- alternative in disabling back button in any browser
- How to prevent logged out user from revisiting previous page using back button in asp .net?
- how to stop user to use back button
- Disabling Back button of Browser on Logout click like Yahoo,Gmail etc for Security
- Is there a way to keep a page from rendering once a person has logged out but hit the "back" button?
- Privacy prevent page from showing on back button
- Prevent Back option in browser after logout from the application