Problem with my Session variables in asp.net 2.0

Question

I keep a Session variable when the user is logged in. So that when the user click on btnLogout it must clear all my sessions and Log the User out for GOOD!!!

It does clear my sessions but if i click the BACK button in IE right after i logged out then i am still logged in! Meaning it goes back to screen where the user was still logged into.

My code on log out

protected void btnLogout_Click
{
   Session.Clear();
   Session.Abandon();
   Session.RemoveAll();

   Response.Redirect("Home.aspx");
}

Why is this and how can i prevent this?

EDIT: Is there maybe an option in code i can do that will disable the user from pressing the BACK button in the Web Browzer?

Answer 1

You could put this in the Page_Init of your Master:

Response.Cache.SetNoServerCaching();
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Response.Cache.SetExpires(new DateTime(1900, 01, 01, 00, 00, 00, 00));

This is, e.g., what most bank websites do so you can't effectively use the back button.

Answer 2

Is this really an issue though? Yes they could see their previous page as it has been cached, but as soon as they attempt to make any other legitimate requests within this context these will fail as your session variables are gone.

Unless you have some very specific reason for coding around this you would be solving a problem that doesn't really exist.

Answer 3

There are several ways you can tell the browser not to cache the page either from code-behind, javascript or through HTML by using the following on the page

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

It would also have been good practise to add in your page_load event in the code-behind some code to ensure that the session variable still actually exists.

Answer 4

The browser maintains a cache of the page so simply hitting back will not make a request to the server to see if you're still logged in. You'd have to use HTTPS to ensure the cache is also protected.