Click here to Skip to main content
15,900,626 members
Search within:


Previous page showing after logout
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
MVC3
Hi,
I have a problem when user logout and hit the back button of the browser the pages are showing from browser history. My client does not like to disable the back button by javascript for this. So can you provide a better solution for this? All Actions of each controller is protected by checking authentication.
Thanks
Posted
Add a Solution

4 solutions

What you need to do is set the content being rendered by the action to not be cacheable on the client. When the click Back, they will be sent to your action again (rather than the cached content) and if you've implemented the Authorise Attribute[^] on your actions, you will be redirected to the login page

You could create an action filter and have the cache directives set by that filter

http://stackoverflow.com/questions/1160105/asp-net-mvc-disable-browser-cache/1705113#1705113[^]

Then, you simply tag your controllers or actions with the filter attribute to apply the directives.
 
Share this answer
 
Posted
Comments
Bishnu Tewary 15-Mar-12 3:22am    
Thanks Dylan, your reference link helps me to fix my problem.Its work by simply add this
[System.Web.Mvc.OutputCache(NoStore = true, Duration = 0, VaryByParam = "*")]

on the controller action for which i want to disable cache. Th
You should ask yourself: is this actually a problem? As the other solutions state, you're seeing client-side cached pages, so there is no load on your server, and none of the links or forms (or AJAX scripts or anything that talks to a controller) will work, so nothing can actually be done by someone who's logged out. Refreshing the page will also bring a not-authenticated page (whatever you set up for that).

You can disable client-side caching (in browsers that pay attention to such things, I'm not sure they all do) with the Pragma, Cache-Control and Expires headers; Dylan posted a good link for how to set those with MVC. But if you do that, the back button even while you're logged in will cause page refreshes/reloads, making it impossible for the user to use back/forward through the client-side cache.

There are a few high security situations where you can justify this behaviour. I very much doubt you're working in any of those, because if you were then you wouldn't be the kind of person who posts open questions on CodeProject. So, almost certainly, my advice is: don't do anything, this is not actually a problem.
 
Share this answer
 
Posted
Comments
Kosimek 29-Apr-14 10:48am    
What an absolute rubbish. First of all, whether you doubt someone is working in a "high security situation" is irrelevant. The person asking the question is the one to decide that, not you. This issue is not about "load on your server", it is about safeguarding possible sensitive information. If all the information shown would be in the public domain there would not be a need to have a user log in, now would there.
Most of the gazillion people with this issue (including myself) come here looking for solutions to an issue, not to hear your condescending personal opinion that "this is not actually a problem". If you have nothing concrete to contribute, don't respond.
BobJanova 29-Apr-14 10:59am    
I said how to do it if you need to (disable client-side caching and hope the browser respects the headers). I stand by the sentiment that you almost never need to do this.

The only purpose of doing it is to protect sensitive information from the user who was just accessing it. Site authentication solves a different problem: how to prevent information which is sensitive to a user being accessed by other users. Most people asking this question, including you judging by your reference to 'in the public domain' as the alternative, mix the two up.

If your potential problem is other users seeing someone's information, you only need server-side authentication and (if you worry about packet interception) HTTPS or another SSL-based transfer protocol. You do not need to mess with caching or the Back button unless you want a user not to be able to see what they were looking at before, and most people asking the question do not need that.

If you have nothing concrete to contribute, don't respond.
Have you really followed your own advice there? Responding to a 2-year-old post that wasn't even the 'accepted' answer to have a go at the answerer isn't much of a contribution, either.

That said, welcome to CP, hopefully we'll see you getting into the community and answering people's problems too!
Kosimek 29-Apr-14 12:34pm    
Bob, virtually all of the people asking this same question on a plethora of forums want the same result. Once logged out, you should not be able to see previously accessed pages and should be directed back to the login page. The redirect after clicking the Back button should only occur AFTER the logout has taken place and so preventing caching on every page after login is not a solution.

There really are no concepts to be "mixed up". The computer does not know who is clicking the Back button and therefore anyone having access to a user's computer can click the back button and, where confidential information has been shown to the authenticated user, can view that information.

Would you be okay with logging out of your Gmail account only to have someone else click the back button and see your mail? Of course not. I authenticate people in my applications and once they logout, click the back button and then click on any link in any of the previous pages they will be directed back to the login page. But that is not the issue. The previous pages (retrieved from cache) should not be visible to anyone.

Your assertion that "you only need server-side authentication" to prevent "other users" from seeing someone's information appears to show that you don't grasp the problem. Clicking the Back button does not involve the server-side, it only involves the client side over which you have no control. And that is exactly where the problem lies.

I have come across only one way that works flawlessly in Firefox (assuming that javascript has not been turned off). However, most restrictions and redirects you implement in IE and Chrome back to a login page can be overcome by rapidly clicking the back button. It will even get you past non-cached page error messages.

The real problem is in the lack of a unified mechanism (i.e. browser independent and platform independent) to be able to force a redirect to a specific page. The fact that there are no real standards for browsers in the first place (not a surprise, God forbid we'd have standards!) does not help either.

Of course what everyone's is looking for can be achieved. Financial websites can do it, Hotmail can do it, Gmail and many others can do it but, after having looked for cross-browser, cross-platform solutions for 2-1/2 years, I still have not found anything that does the job. Most proffered solutions do not work at all and the one I found that does work, does not work on all browsers.

So the question still stands, if you have a cross-browser, cross-platform solution (not a php, asp, .net solution etc.) please let me know. I am all ears!

As far as your original post goes. I am new to this forum but if the header says "Solution 3" and gets 5 stars, someone must have indicated it to be a solution, unless of course every response is marked as Solution which would be rather silly. Cheers.
You're probably seeing the cached pages. They will not be affected by a logout until the user actually goes to use the page and submit something.

How you diable caching and for which pages or your entire site is up to you.
 
Share this answer
 
Posted
check these out:

Disable Browser Back Button functionality after click on Logout Button[^]

Browser back button issue after logout[^]

hope it helps :)
 
Share this answer
 
Posted
Updated 14-Mar-12 7:51am
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to show previous and next for gridview ASP.NET ?
Avoid to display previous page after logout?
How to disable to access previous data pages of the application after logout when mozillla is in work offline
Login page with automatic logout with sessions in ASP.NET
logout code
How to prevent going back to previous page after logout using javascript and HTML?
After logout user should not be visible previous page visited in C# ASP.NET aspx
After logout while clicking on browser back button redirecting to the previous page in asp.net mvc
Prevent page reviews after logout
When I Click Back Button After Logout ,Privius Page Show..

Advertise
Privacy
Cookies
Terms of Use
Last Updated 14 Mar 2012
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-05-14:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900