M
Marcio Kleemann
I'm using FormsAuthentication to secure access to a web site. The
authentication process works correctly initially. The pages on the site have
a "logout" button, which basically call FormsAuthentication.SignOut() and
redirect the user to the login page.
The problem is that after the user logs out, if they were to use their
browser's "Back" button (or even enter the url to the page directly on the
browser), they are allowed into that page. This is probably because the
browser is simply re-rendering the page without going back to the server
(I've verified that it does not go back to the server by placing a
breakpoint on page_load). Interestingly enough, if you enter a url for a
page on that web site that was not navigated to while the user had been
authenticated, then it correctly kicks them to the login page. But any page
that was visited during the authenticated session continues to be available
on that browser even after SignOut.
Since this needs to be solved on the client side, I'm trying to implement
something using the client's onload event, which is raised every time the
browser renders the page (whether through Back button, etc). But the problem
is that with client-side scripting like javascript or vbscript I don't have
access to session variables and such - which I could otherwise use to
indicate that the user is no longer authenticated. So I'm at a loss as to
how to handle this.
If someone has dealt with this before, I'd much appreciate pointing me in
the right direction.
Thanks
authentication process works correctly initially. The pages on the site have
a "logout" button, which basically call FormsAuthentication.SignOut() and
redirect the user to the login page.
The problem is that after the user logs out, if they were to use their
browser's "Back" button (or even enter the url to the page directly on the
browser), they are allowed into that page. This is probably because the
browser is simply re-rendering the page without going back to the server
(I've verified that it does not go back to the server by placing a
breakpoint on page_load). Interestingly enough, if you enter a url for a
page on that web site that was not navigated to while the user had been
authenticated, then it correctly kicks them to the login page. But any page
that was visited during the authenticated session continues to be available
on that browser even after SignOut.
Since this needs to be solved on the client side, I'm trying to implement
something using the client's onload event, which is raised every time the
browser renders the page (whether through Back button, etc). But the problem
is that with client-side scripting like javascript or vbscript I don't have
access to session variables and such - which I could otherwise use to
indicate that the user is no longer authenticated. So I'm at a loss as to
how to handle this.
If someone has dealt with this before, I'd much appreciate pointing me in
the right direction.
Thanks