Click here to Skip to main content
15,867,568 members
Articles / Web Development / ASP.NET
Article

Disabling browser's back functionality on sign out from Asp.Net

Rate me:
Please Sign up or sign in to vote.
2.80/5 (38 votes)
11 Aug 20053 min read 259.5K   3.6K   47   34
After sign out from site if browsers back button is clicked it shows the previous page, though user is sign out from the site, to avoid this disabling of cache is done

Introduction

                      Disabling the Back Button

 When i was doing coding for sign in and sign out for my clients application, i found that after signing out from the application i transfered the control to login page e.g. login.aspx. At this point if i click the Back button of Browser it shows the content of previous page user was viewing.<o:p>

    As there was important data displayed on page it is security threat.<o:p>

It is a threat for web applications displaying important information like credit card numbers  or bank account details.<o:p>

 <o:p>

  I tried to find the solution on net but could not get satisfactory answer.<o:p>

On searching i found following problem, and i think it is important to share this issue- <o:p>

<o:p>

<o:p>

What happens when Back Button clicked

When we visit a page it is stored in a cache i.e. history on a local machine. <o:p>Whenever user clicks the Back button, previous page is taken from this cache and displayed; request does not go to the server to check the login information as page is found on local cache. If we submit the page or refresh the page then only page is sent to the server side.<o:p>

Caching-

Caching of Web Pages can happen in three separate entities in a Web environment.<o:p>

  1. When you think about caching, you usually think about the Web pages cached locally in your temporary Internet files of the profile that was used to log into local machine as a result of having visited the page.<o:p>
  2.  But caching can also occur within the Internet Information Server (IIS) Server, and<o:p>
  3. If a proxy server is present, it can be configured to cache the pages.<o:p>
<o:p>

Solution-

To avoid the displaying of page on click of back button we have to remove it from cache, or have to tell the server not to cache this page.<o:p>

So if we do not cache the page then on click of back button request goes to server side and validation can be done whether session exist's or not.<o:p>

 <o:p>

This can be achieved by adding following code in the page load of the page for which we do not want to cache the page in history.<o:p>

<o:p> 

C#
Response.Buffer=<SPAN style="COLOR: blue">true;<o:p></o:p>
Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);
Response.Expires =-1500;
Response.CacheControl = "no-cache";
 if(Session["SessionId"] == null)
    {
	Response.Redirect ("WdetLogin.aspx");
    }
}

Code in Detail-<o:p>   <o:p>

Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);<o:p>

<o:p> In this instead of giving the current date we gave the date in the past so it confirms the expiration of page. So that allowing for time differences, rather than specify a static date. If your page is being viewed by a browser in a very different time-zone.<o:p>

<o:p> 

<o:p> 

Response.Expires = -1500;      <o:p>

<o:p> Some IIS internals experts revealed this can be a very touchy parameter to rely upon and usually requires a rather"large" negative number or pedantically, that would be a very small number.<o:p>

<o:p> 

<o:p> 

Response.CacheControl = "no-cache";<o:p>

<o:p> It tells the browser not to cache the page.<o:p>

 <o:p>

Things can work with only one line of code<o:p>

i.e.     Response.CacheControl = "no-cache";<o:p>

 <o:p>

But it is good practice to delete the existing page from cache.<o:p>

 <o:p>

This code will tell the server not to cache this page, due to this when user clicks the Back button browser will not find the page in cache and then will go to server side to get the page.<o:p>

 <o:p>

Disabling cache can also be done by adding following line in <st1:place>Meta section of page<o:p>

 <o:p>

<METAHTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><o:p>

 <o:p>

But when I tried this it does not worked for me.<o:p> <o:p>

 Proxy Server Caching-<o:p> 

Response.CacheControl = "private";<o:p>

           It disables the proxy server caching and page is cached on local machine.<o:p>

Response.CacheControl = "public";<o:p>

           Proxy server cache is enabled.<o:p>

Users request pages from a local server instead of direct from the source.<o:p>

 <o:p>

 <o:p>

So if the information displayed is critical information extra care should be taken to remove the page from cache on sign out.<o:p>

 <o:p>

Hence for such applications keeping pages non caching is good solution.<o:p>

<o:p> 

<o:p> 

 

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Web Developer
India India
Rohit Dighe
B.E. Computer from University of Pune, India.

Working on Asp.Net and C# from 2 years

Comments and Discussions

 
GeneralMy vote of 3 Pin
Member 906317724-Apr-14 19:34
Member 906317724-Apr-14 19:34 
QuestionDiabling Caching Pin
bigdreams4-Nov-13 5:36
bigdreams4-Nov-13 5:36 
GeneralMy vote of 1 Pin
Dineshnamdev14-Sep-12 23:16
Dineshnamdev14-Sep-12 23:16 
QuestionIn FireFox , how to disable back button after logout Pin
YogeshwarBK10820-Jul-12 20:12
YogeshwarBK10820-Jul-12 20:12 
GeneralRe: In FireFox , how to disable back button after logout Pin
VICK4-Nov-13 17:55
professional VICK4-Nov-13 17:55 
QuestionThanks Pin
Sayantan Adhikari11-Jul-11 19:34
Sayantan Adhikari11-Jul-11 19:34 
Thank u,for your good explanation helped me a lot.
Generalthank u so much buddy Pin
suganthr25-May-11 21:23
suganthr25-May-11 21:23 
GeneralMy vote of 1 Pin
Kriish0528-Nov-10 20:33
Kriish0528-Nov-10 20:33 
GeneralGreat!!! Pin
minhhieu_dotnet16-Nov-10 22:51
minhhieu_dotnet16-Nov-10 22:51 
GeneralMy vote of 5 Pin
vijayaragavanvv7-Oct-10 18:25
vijayaragavanvv7-Oct-10 18:25 
GeneralMy vote of 1 Pin
Hemant02614-Nov-09 20:54
Hemant02614-Nov-09 20:54 
GeneralMy vote of 2 Pin
Member 29925823-Nov-09 19:23
Member 29925823-Nov-09 19:23 
GeneralThis is a good and usefull article... Thanks.. Pin
Pajosh8316-Jul-09 20:44
Pajosh8316-Jul-09 20:44 
QuestionSession Variables and Back Functionality after Logout......... Pin
vijay.victory15-Apr-09 3:22
vijay.victory15-Apr-09 3:22 
GeneralNot working in Mozilla sometime Pin
.NET- India 3-Mar-08 22:12
.NET- India 3-Mar-08 22:12 
Questionthank you Pin
snopbear9-Feb-08 2:45
snopbear9-Feb-08 2:45 
Generaldoesnt work twith mozilla Pin
durbich11-Sep-07 5:04
durbich11-Sep-07 5:04 
QuestionWhat at the End Pin
hsr210729-Jul-06 3:52
hsr210729-Jul-06 3:52 
QuestionOpera? Pin
TomazZ17-Jul-06 23:04
TomazZ17-Jul-06 23:04 
QuestionCan be original. Pin
hellomeandme14-Jun-06 5:38
hellomeandme14-Jun-06 5:38 
AnswerRe: Can be original. Pin
Hesham Amin17-May-07 0:01
Hesham Amin17-May-07 0:01 
GeneralRe: Can be original. Pin
kuyak20008-Jul-07 17:50
kuyak20008-Jul-07 17:50 
GeneralGood for Beginner Re:Disabling browser's back functionality on sign out from Asp.Net Pin
Jay_se29-May-06 0:18
Jay_se29-May-06 0:18 
GeneralRe:Disabling browser's back functionality on sign out from Asp.Net Pin
winheart21-Feb-06 21:39
winheart21-Feb-06 21:39 
GeneralRe:Disabling browser's back functionality on sign out from Asp.Net Pin
Aftab Naveed19-Jul-06 3:05
Aftab Naveed19-Jul-06 3:05 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.