Disabling browser's back functionality on sign out from Asp.Net

RohitDighe

2.80/5 (38 votes)

Aug 5, 2005

3 min read

263707

3567

After sign out from site if browsers back button is clicked it shows the previous page, though user is sign out from the site, to avoid this disabling of cache is done

Download demo project - 9 Kb

Introduction

Disabling the Back Button

When i was doing coding for sign in and sign out for my clients application, i found that after signing out from the application i transfered the control to login page e.g. login.aspx. At this point if i click the Back button of Browser it shows the content of previous page user was viewing.

As there was important data displayed on page it is security threat.

It is a threat for web applications displaying important information like credit card numbers or bank account details.

I tried to find the solution on net but could not get satisfactory answer.

On searching i found following problem, and i think it is important to share this issue-

What happens when Back Button clicked

When we visit a page it is stored in a cache i.e. history on a local machine. Whenever user clicks the Back button, previous page is taken from this cache and displayed; request does not go to the server to check the login information as page is found on local cache. If we submit the page or refresh the page then only page is sent to the server side.

Caching-

Caching of Web Pages can happen in three separate entities in a Web environment.

When you think about caching, you usually think about the Web pages cached locally in your temporary Internet files of the profile that was used to log into local machine as a result of having visited the page.
But caching can also occur within the Internet Information Server (IIS) Server, and
If a proxy server is present, it can be configured to cache the pages.

Solution-

To avoid the displaying of page on click of back button we have to remove it from cache, or have to tell the server not to cache this page.

So if we do not cache the page then on click of back button request goes to server side and validation can be done whether session exist's or not.

This can be achieved by adding following code in the page load of the page for which we do not want to cache the page in history.

Response.Buffer=<SPAN style="COLOR: blue">true;<o:p></o:p>
Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);
Response.Expires =-1500;
Response.CacheControl = "no-cache";
 if(Session["SessionId"] == null)
    {
	Response.Redirect ("WdetLogin.aspx");
    }
}

Code in Detail-

Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);

In this instead of giving the current date we gave the date in the past so it confirms the expiration of page. So that allowing for time differences, rather than specify a static date. If your page is being viewed by a browser in a very different time-zone.

Response.Expires = -1500;

Some IIS internals experts revealed this can be a very touchy parameter to rely upon and usually requires a rather"large" negative number or pedantically, that would be a very small number.

Response.CacheControl = "no-cache";

It tells the browser not to cache the page.

Things can work with only one line of code

i.e. Response.CacheControl = "no-cache";

But it is good practice to delete the existing page from cache.

This code will tell the server not to cache this page, due to this when user clicks the Back button browser will not find the page in cache and then will go to server side to get the page.

Disabling cache can also be done by adding following line in Meta section of page

<METAHTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">

But when I tried this it does not worked for me.

Proxy Server Caching-

Response.CacheControl = "private";

It disables the proxy server caching and page is cached on local machine.

Response.CacheControl = "public";

Proxy server cache is enabled.

Users request pages from a local server instead of direct from the source.

So if the information displayed is critical information extra care should be taken to remove the page from cache on sign out.

Hence for such applications keeping pages non caching is good solution.