Click here to Skip to main content
Click here to Skip to main content

Disabling browser's back functionality on sign out from Asp.Net

, 11 Aug 2005
Rate this:
Please Sign up or sign in to vote.
After sign out from site if browsers back button is clicked it shows the previous page, though user is sign out from the site, to avoid this disabling of cache is done
<!-- HTML for article "Disabling browser's back functionality on sign out from Asp.Net" by Rohit123dighe,Rohit123dighe,Rohit123dighe,Rohit123dighe URL: http://www.codeproject.com/useritems/NoCaching.asp Article content copyright Rohit123dighe,Rohit123dighe,Rohit123dighe,Rohit123dighe All formatting, additions and alterations Copyright © CodeProject, 1999-2005 --><!----------------------------- Ignore -----------------------------><!----------------------------- Ignore -----------------------------><!----------------------------- Article Starts ----------------------------->

Introduction

                      Disabling the Back Button

 When i was doing coding for sign in and sign out for my clients application, i found that after signing out from the application i transfered the control to login page e.g. login.aspx. At this point if i click the Back button of Browser it shows the content of previous page user was viewing.

    As there was important data displayed on page it is security threat.

It is a threat for web applications displaying important information like credit card numbers  or bank account details.

 

  I tried to find the solution on net but could not get satisfactory answer.

On searching i found following problem, and i think it is important to share this issue-

What happens when Back Button clicked

When we visit a page it is stored in a cache i.e. history on a local machine. Whenever user clicks the Back button, previous page is taken from this cache and displayed; request does not go to the server to check the login information as page is found on local cache. If we submit the page or refresh the page then only page is sent to the server side.

Caching-

Caching of Web Pages can happen in three separate entities in a Web environment.

  1. When you think about caching, you usually think about the Web pages cached locally in your temporary Internet files of the profile that was used to log into local machine as a result of having visited the page.
  2.  But caching can also occur within the Internet Information Server (IIS) Server, and
  3. If a proxy server is present, it can be configured to cache the pages.

Solution-

To avoid the displaying of page on click of back button we have to remove it from cache, or have to tell the server not to cache this page.

So if we do not cache the page then on click of back button request goes to server side and validation can be done whether session exist's or not.

 

This can be achieved by adding following code in the page load of the page for which we do not want to cache the page in history.

 

Response.Buffer=<SPAN style="COLOR: blue">true;<o:p></o:p>
Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);
Response.Expires =-1500;
Response.CacheControl = "no-cache";
 if(Session["SessionId"] == null)
    {
	Response.Redirect ("WdetLogin.aspx");
    }
}

Code in Detail-   

Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);

 In this instead of giving the current date we gave the date in the past so it confirms the expiration of page. So that allowing for time differences, rather than specify a static date. If your page is being viewed by a browser in a very different time-zone.

 

 

Response.Expires = -1500;     

 Some IIS internals experts revealed this can be a very touchy parameter to rely upon and usually requires a rather"large" negative number or pedantically, that would be a very small number.

 

 

Response.CacheControl = "no-cache";

 It tells the browser not to cache the page.

 

Things can work with only one line of code

i.e.     Response.CacheControl = "no-cache";

 

But it is good practice to delete the existing page from cache.

 

This code will tell the server not to cache this page, due to this when user clicks the Back button browser will not find the page in cache and then will go to server side to get the page.

 

Disabling cache can also be done by adding following line in Meta section of page

 

<METAHTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">

 

But when I tried this it does not worked for me. 

 Proxy Server Caching- 

Response.CacheControl = "private";

           It disables the proxy server caching and page is cached on local machine.

Response.CacheControl = "public";

           Proxy server cache is enabled.

Users request pages from a local server instead of direct from the source.

 

 

So if the information displayed is critical information extra care should be taken to remove the page from cache on sign out.

 

Hence for such applications keeping pages non caching is good solution.

 

 

 

<!----------------------------- Article Ends ----------------------------->

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

RohitDighe
Web Developer
India India
Rohit Dighe
B.E. Computer from University of Pune, India.
 
Working on Asp.Net and C# from 2 years

Comments and Discussions

 
GeneralMy vote of 3 PinmemberMember 906317724-Apr-14 19:34 
QuestionDiabling Caching Pinmemberbigdreams4-Nov-13 5:36 
GeneralMy vote of 1 PinmemberDineshnamdev14-Sep-12 23:16 
QuestionIn FireFox , how to disable back button after logout PinmemberYogeshwarBK10820-Jul-12 20:12 
GeneralRe: In FireFox , how to disable back button after logout Pinmember VICK4-Nov-13 17:55 
QuestionThanks PinmemberSayantan Adhikari11-Jul-11 19:34 
Generalthank u so much buddy Pinmembersuganthr25-May-11 21:23 
GeneralMy vote of 1 PinmemberKriish0528-Nov-10 20:33 
If u just handle session is engough to prevent back button in IE but even ur code is not working in Mozilla Firox. Pls check n if u get solution pls frop mail to kriish05@yahoo.com.
Thanking you
GeneralGreat!!! Pinmemberminhhieu_dotnet16-Nov-10 22:51 
GeneralMy vote of 5 Pinmembervijayaragavanvv7-Oct-10 18:25 
GeneralMy vote of 1 PinmemberHemant02614-Nov-09 20:54 
GeneralMy vote of 2 PinmemberMember 29925823-Nov-09 19:23 
GeneralThis is a good and usefull article... Thanks.. PinmemberPajosh8316-Jul-09 20:44 
QuestionSession Variables and Back Functionality after Logout......... Pinmembervijay.victory15-Apr-09 3:22 
GeneralNot working in Mozilla sometime Pinmember.NET- India3-Mar-08 22:12 
Questionthank you Pinmembersnopbear9-Feb-08 2:45 
Generaldoesnt work twith mozilla Pinmemberdurbich11-Sep-07 5:04 
QuestionWhat at the End Pinmemberhsr210729-Jul-06 3:52 
QuestionOpera? PinmemberTomazZ17-Jul-06 23:04 
QuestionCan be original. Pinmemberhellomeandme14-Jun-06 5:38 
AnswerRe: Can be original. Pinmemberhspc17-May-07 0:01 
GeneralRe: Can be original. Pinmemberkuyak20008-Jul-07 17:50 
GeneralGood for Beginner Re:Disabling browser's back functionality on sign out from Asp.Net Pinmemberjeya198129-May-06 0:18 
GeneralRe:Disabling browser's back functionality on sign out from Asp.Net Pinmemberwinheart21-Feb-06 21:39 
GeneralRe:Disabling browser's back functionality on sign out from Asp.Net PinmemberAftab Naveed19-Jul-06 3:05 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140709.1 | Last Updated 12 Aug 2005
Article Copyright 2005 by RohitDighe
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid