ASP.NET authentication login and logout with browser back button

asp.net asp.net-membership back-button
Eatdoku picture Eatdoku · Apr 22, 2010 · Viewed 72.9k times · Source

I am looking for a solution for user use the browser's back button to navigate to previous page once logged out.

I have a web application build in asp.net and using a custom membership provider for authentication and authorization. Everything works fine except when the user click on the logout link to log out of the application and being redirect to a default cover page, if the use click on the BACK BUTTON on their browser, it will actually go back to where they were before and the data will still show up.

Of course they can't do anything on that page, click on anything link they will be redirect to a login page again. But having those information display is making a lot users confused.

i am just wondering if there is any way i can either clear the browser's history so use can't go BACK, or when they click on the back button and have them redirect to the login page.

thanks

Answer

Sky Sanders picture Sky Sanders · Apr 22, 2010

Worrying about the browser history and back button is going to give you headaches and genital warts. There are facilities built in to handle this problem.

Your logout link/button should point to a page containing this code, along with whatever else you want.

[vb.net]

Imports System.Web.Security

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) _
 Handles MyBase.Load
    Session.Abandon()
    FormsAuthentication.SignOut()
End Sub

[c#]

using System.Web.Security;

private void Page_Load(object sender, System.EventArgs e)
{
    // Put user code to initialize the page here
    Session.Abandon();
    FormsAuthentication.SignOut();
}

Code comes from this page and is valid but the page is hard on the eyes.

A good Question/Answer regarding backbutton behavior can be found here.

Update:

pursuant to the conversation I am having with Matthew, disabling caching on individual pages that are sensitive or volitile can be done with code such as follows:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

I am curious to know if it works for you as it does for me.

Related questions

SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified

Well i have a big problem that i'm trying for days to solve but i could not do it, so i need your help. I have a web application in asp.net 4.0 where i implemented custom membership and role providers. …

Read More
Why is <deny users="?" /> included in the following example?

The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization: <authorization> <deny users="?" /> <allow users="dan,matthew" /> <deny users="*" /> </authorization&…

Read More
How to obtain a list of Users from ASP.NET Identity?

Edit: This question is outdated The Identity Framework was a moving target at the moment I asked this. The authors changed quite a few things and they have decoupled several others, making everything easier. Have a look at the Asp.…

Read More