Prevent accessing page via browser history

[Pål A.]

Have a "standard" asp.net web solution which uses the standard asp.net
authentication and authorization methods (forms authentication).

Some users have raised concern that even if you logout (which brings
the user back to the login.aspx page) you can seemingly navigate back
in via the back-button and the browser history.

If user A is viewing a page and then clicks logout and leaves (browser
not at login.aspx). User B comes along and can easily click "back" in
the browser to see what user A was doing.

One way around this would be to prevent client-side caching by the
browser, but I dont want to remove the users ability to use "back" and
"forward".

I'm considering making some javascript that via AJAX check with the
server onLoad that the session is still valid. This means that each
page request results in yet another server call. Another option could
perhaps be checking for a cookie that I delete when logging out.

Any tips? How have you solved this problem?

 

[bruce barker]

you need to set nocache on. back will still work, the browser will just hit
the server again. code your pages to handle this case. put a trans guid in
each pages viewstate so you can detect a "cache" hit.

-- bruce (sqlwork.com)

 

[Pål A.]

you need to set nocache on. back will still work, the browser will just hit
the server again. code your pages to handle this case. put a trans guid in
each pages viewstate so you can detect a "cache" hit.

Won't going "back" to a page with nocache cause a re-post? Most all
pages in asp.net have some sort of postback on them. Having a trans
guid or ticket or what ever and only act when the ticket is valid is a
nice option, but not something I want to implement on an existing
system.