Forms Authentication No Cache AND avoiding Web Page Has Expired Ms

[checkraiser]

I have a site which I secure with forms authentication. When the user's
sign on and hit one of the secure pages, I have this line in my code to
ensure that the browser does not cache the page; and someone cannot navigate
back to an cached image of the page in theory after the user has signed off.

Response.Cache.SetCacheability(HttpCacheability.NoCache);

This works all right, except when the user decides to use the browser's back
button to navigate between a menu page and a web page inside the secure forms
authentication directory; the page they are going back to while they're
logged in in the secure directory gets expired and they get the Web Page Has
Expired Msg.
While they are signed in and in the secure directory I would like them to be
able to go back and forth to the area freely; but I want to destoy the cache
of the pages they visited upon logout or session expiration. Is there a way
to do this? Or to force the browser to reload a page completely when it's
expired?

 

[Michael Nemtsev [MVP]]

Hello (e-mail address removed),

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo


c> I have a site which I secure with forms authentication. When the
c> user's sign on and hit one of the secure pages, I have this line in
c> my code to ensure that the browser does not cache the page; and
c> someone cannot navigate back to an cached image of the page in theory
c> after the user has signed off.
c>
c> Response.Cache.SetCacheability(HttpCacheability.NoCache);
c>
c> This works all right, except when the user decides to use the
c> browser's back
c> button to navigate between a menu page and a web page inside the
c> secure forms
c> authentication directory; the page they are going back to while
c> they're
c> logged in in the secure directory gets expired and they get the Web
c> Page Has
c> Expired Msg.
c> While they are signed in and in the secure directory I would like
c> them to be
c> able to go back and forth to the area freely; but I want to destoy
c> the cache
c> of the pages they visited upon logout or session expiration. Is
c> there a way
c> to do this? Or to force the browser to reload a page completely when
c> it's
c> expired

 

[checkraiser]

This is done via a asp login status control-which is a link; when clicked it
fires off the onloggingout event, which calls these two methods:

Session.RemoveAll();
Session.Abandon();

There's also the session timeout.

 

[Steven Cheng [MSFT]]

Hi,

Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability.NoCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has Expire
thread-index: Acj/IUoHJ1WAnWAoRSWkKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700

This is done via a asp login status control-which is a link; when clicked it
fires off the onloggingout event, which calls these two methods:

Session.RemoveAll();
Session.Abandon();

There's also the session timeout.

Hello (e-mail address removed),

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo

 

[checkraiser]

Steven,

Thank you for your response.

I have two issues out of this one central issue.

1.) The users complaining that they can't use the browser's back button to
go back to one of these secure pages without seeing "Web Page Has Expired,"
and having to use a specific Back button that I've put on the pages in the
application, which does a response.redirect to a page and does NOT give them
this message. They want to be able to use the browser's back button and have
the page reload itself. Without getting prompted for a reload, or seeing
some error page in lieu of the real page they're trying to get to.

2.) I don't want the forms authentication pages to be available in cache
after the user has timed out or has logged off, so that some other user using
the same PC can come along and view the "secure" page later without even
logging into the system and have the proper authentication for role.

So it sounds like from your last post this might be difficult to do. Are
there any solutions?

Hi,

Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability.NoCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has Expire
thread-index: Acj/IUoHJ1WAnWAoRSWkKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700

This is done via a asp login status control-which is a link; when clicked it
fires off the onloggingout event, which calls these two methods:

Session.RemoveAll();
Session.Abandon();

There's also the session timeout.

Hello (e-mail address removed),

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo

 

[Steven Cheng [MSFT]]

Thanks for your reply,

Yes, for the 1) one you mentioned, I'm afraid that's the case. the user has
to revisit the page if the original has got expired. That's the safe
strategy for that case.

Anyway, for expiring a page, we could only determine whether it should be
always un-cached on client-side, but not dynamically cache it or invalidate
its cache on client-side(depend on whether the user is logon or not).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

From: =?Utf-8?B?Y2hlY2tyYWlzZXJAY29tbXVuaXR5Lm5vc3BhbQ==?=

Subject: Re: Forms Authentication No Cache AND avoiding Web Page Has Expire
Date: Wed, 27 Aug 2008 10:16:10 -0700