Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to keep a page from rendering once a person has logged out but hit the "back" button?

Tags:

I have some website which requires a logon and shows sensitive information.

The person goes to the page, is prompted to log in, then gets to see the information.

The person logs out of the site, and is redirected back to the login page.

The person then can hit "back" and go right back to the page where the sensitive information is contained. Since the browser just thinks of it as rendered HTML, it shows it to them no problem.

Is there a way to prevent that information from being displayed when the person hits the "back" button from the logged out screen? I'm not trying to disable the back button itself, I'm just trying to keep the sensitive information from being displayed again because the person is not logged into the site anymore.

For the sake of argument, the above site/scenario is in ASP.NET with Forms Authentication (so when the user goes to the first page, which is the page they want, they're redirected to the logon page - in case that makes a difference).

like image 685
Tom Kidd Avatar asked Sep 15 '08 15:09

Tom Kidd


People also ask

How do you prevent a browser from going back to login form page once user is logged in PHP?

On the login screen, in PHP, before rendering the view, you need to check if the user is already logged in, and redirect to the default page the user should see after logged in. Similarly, on the screens requiring login, you need to check if the user is not logged in and if not, redirect them to the login screen.

How do I restrict someone to go back after logging out?

Here's an easy and quick solution. To the login form tag add target="_blank" which displays content in a different window. Then after logout simply close that window and the back button problem (Safari browser) is solved. Even trying to use the history will not display the page and instead redirect to login page.

How do you prevent a browser from going back to login form page once user is logged in asp net?

You can't prevent someone from using the back button. You need a redirect on your login page or an error message right before the user session is set if they are logged in. Now if the user presses back, they simply go to the homepage and no logic is run.


1 Answers

The short answer is that it cannot be done securely.

There are, however, a lot of tricks that can be implemented to make it difficult for users to hit back and get sensitive data displayed.

Response.Cache.SetCacheability(HttpCacheability.NoCache); Response.Cache.SetExpires(Now.AddSeconds(-1)); Response.Cache.SetNoStore(); Response.AppendHeader("Pragma", "no-cache"); 

This will disable caching on client side, however this is not supported by all browsers.

If you have the option of using AJAX then sensitive data can be retrieved using a updatepanel that is updated from client code and therefore it will not be displayed when hitting back unless client is still logged in.

like image 119
Claus Thomsen Avatar answered Oct 19 '22 16:10

Claus Thomsen