I have an ASP.NET application using Forms Authentication. When the user clicks the Sign Out button on the page it runs the following code.
FormsAuthentication.SignOut();
Response.Expires = 0;
Response.Cache.SetNoStore();
Response.AppendHeader("Pragma", "no-cache");
However the user can still just press the back arrow and see the previous page without needing to log in again. I am sure it has something to do with the previous page being cached. How can I make sure they are prompted to log in again with going back?
It happens because your browser cached the page on the client. The solution is to prevent the caching of that page(s), by forcing the browser to request a new page even when pressing Back button, instead of reading the saved one.
As you mentioned, on logout, simply unset the logged_in session variable, and destroy the session: <? php unset($_SESSION['logged_in']); session_destroy(); ?> If the user clicks back now, no logged_in session variable will be available, and the page will not load.
onload = function () { noBackPlease(); // Disables backspace on page except on input fields and textarea..
Response.Cache.SetCacheability(HttpCacheability.NoCache);
And now you know why you get the message, "You've been logged out. Please close this browser window for security reasons."
No cache is a workaround.
The penultimate workaround is to use ajax to pull any sensitive information down - this would be run again in the back case, and the information should not be cached. It's more connections and more latency, but due to modern browser caching there's not much that can be done except workarounds such as these.
-Adam
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With