I am having web site in ASP.NET. We have two type of login
1. Users
2. Administrator
I am facing following problem during testing
Problem statement: Suppose i loggedin by user login and surf all pages, let say at any page of user i click on logout button, it will redirect me at login page.
Now the problem comes when i use browser back, it shows me user's page But in actual i should not able to view that page after logout.
My functionality is proper because if i click on page after logout it will again redirect me at login page, but my problem is i should not land on userpage using browser back after logout.
[As happens in Google and Yahoo]
Same is happening with Admin login.
Please help me to sort out the problems.
You have to set the following I guess
Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
This will cause your page to post back also when the user presses the back button and so you're able to check whether he's still logged in and in case redirect him to some other place.
The problelm is the pages you can press back to have been cached. You can instruct your browser to ALWAYS fetch the pages from the server every time.
You will need to generate all of the following headers:
Pragma: no-cache
Cache-Control: max-age=1
Expires: Tue, 1 May 1985 01:10:00 GMT
The problem is not all browsers support all options so you have to include all of these headers to ensure all browsers don't cache your pages.
The other reason for needing all of these headers, is that in some cases even if the web browser is respecting the expires headers, there can be a misconfigured proxy server between you and the user that is still caching the pages.
In ASP you probably want to do something like this:
public void Page_Load() {
Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
Response.Expires = -1500;
Response.CacheControl = "no-cache";
Response.Cache.SetETag(randomString);
}
You must disable cache.
public void Page_Load()
{
Response.Cache.SetCacheability(HttpCacheability.NoCache)
...
}
Take a look at Disabling Back button of Browser on Logout click like Yahoo,Gmail etc for Security
How do you login/logout? a proper way of doing this is to save the user info into a session on login and clear that session on logout
in every page's PageLoad method test if the session has valid infos or no, if not stop the page load.
this way, when the user logout and click on back the session should be empty and it wont load, and you can then redirect to the login page.
reply if you need some code
