Skip to content
June 8, 2009 / kiranpatils

Logout problem or Back Button Problem after signout

Challenge:

1. You are using ASP.NET’s Form Authentication

2. All your pages[Except Login🙂 page] should be accessible only to authenticated users?

3. You have signout/Logout button where you are doing like this:

4. Now user is logged out and viewing the Login page and if he/she tries to go Back using Back Button of Browser…they can access it [Hoohh..its loophole] Or if some expert user is using your application directly plays with address bar and say /MyAccountSummary.aspx[Nooooooo] and he/she can access the page..

Now you must be wondering that i have logged out the user using standard ASP.NET Methods then also how can user access the secure items?? Don’t get excited and say it is “BUG IN ASP.NET”…[Pls note my words there are so so so less chance you will find a bug in Microsoft’s Framework]..So before pointing them out we should have our fundas clear🙂

Solution:

Okay, let me tell you why the strange behavior is..It is because of Client Side Browser caching…Browser Guys to improve the performance they cache the pages at client machine..So, user is accessing whatever secured item after Logout it is coming from cache….server is not aware about it[else he is smart enough to stop this:)] …So, Let’s stop this Client Side Browser Caching by following Code:

you can try this to put in your pages: Page_Load – which you don’t want to be cached by client side:

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();

That’s it🙂

Before going for celebration Please see some of my best practices

As per the OOPs Guy i suggest that create a page/Class[NoCachePage.CS] known as “NoCachePage” which derives directly from System.Web.UI.Page looks like as following:

/// <summary>
/// Author : Kiran Patil
/// Date   : 08-June-2009
/// Description: This Page will be used to act
///              as a base page for all the pages
///              which should not get cached at client
///              side
/// </summary>
public partial class NoCachePage : System.Web.UI.Page
{
    /// <summary>
    /// This function will be used to load
    /// initial data for a page
    /// </summary>
    ///
<param name="sender">Page</param>
    ///
<param name="e">EventArguments</param>
    protected void Page_Load(object sender, EventArgs e)
    {
        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore(); 

    }
}

Now all your applications page which should not get cached at Client Side derive it from NoCachePage. Looks like following:

/// <summary>
/// Author : Kiran Patil
/// Date   : 08-June-2009
/// Description: This Page will be used to load
///              Account summary of an user
/// </summary>
public partial class AccountSummaryPage : NoCachePage
{
    /// <summary>
    /// This function will be used to load
    /// initial data for a page
    /// </summary>
    ///
<param name="sender">Page</param>
    ///
<param name="e">EventArguments</param>
    protected void Page_Load(object sender, EventArgs e)
    {
        //secure code goes here..I can give you
        //guarantee that it is secure now..
    }
}

HTH

Please don’t forget to have a look at this link:
http://forums.asp.net/t/1432437.aspx

public partial class NoCachePage : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{

}
}

7 Comments

Leave a Comment
  1. Bikash / Dec 14 2009 8:38 pm

    thanks
    it helps me to complete my project
    best of luck
    god bless u

  2. Rina / Nov 17 2010 3:20 pm

    thanks. My application supports both IE 6 and 7. This works on IE 7 but it does not work on IE 6.0.2900. Is there any other solution. Thanks in Advance

  3. Umar Nabi / Mar 20 2011 7:28 am

    May Allah give u peace…
    nice..it helps me alot…

    HADAKALLAH

  4. Syed Zubair / Jul 5 2012 11:25 am

    Thankx this code is very help full..i solve my problem thanku…

  5. MMANICKAM / Feb 20 2014 8:44 am

    where to place those codes?

    • kiranpatils / Feb 27 2014 11:41 am

      you can try this to put in your pages: Page_Load – which you don’t want to be cached by client side:

Trackbacks

  1. asp.net, c#,javascript

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: