CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Join Date
    Apr 2008
    Posts
    43

    FormsAuthentication and Back Button

    Here's a problem which I'm really starting to think has no solution.

    I have a web page that requires users to log in using FormsAuthentication. Users cannot go to pages unless they are logged in.

    The problem is that when the user logs out they can click the "back-button" to see the page they were on when clicked log out. This is because the page is stored locally in the user's cache. One way to fix this is to prevent pages from being stored in the user's cache, however this means that they cannot use the back button while they are still logged in. Surely there is a way to comprimise. Online banking websites do it so it must be possible.

    Basically I want to be able to log on, navigate through pages while still being logged on and be able to use the back button. If I log out and use the back button I want to be redirected to the login page.

  2. #2
    Join Date
    Nov 2007
    Location
    .NET 3.5 / VS2008 Developer
    Posts
    624

    Re: FormsAuthentication and Back Button

    if you are using the FormsAuthentication class, then this would be fairly easy using this...

    Code:
    FormsAuthentication.SignOut();

  3. #3
    Join Date
    Apr 2008
    Posts
    43

    Re: FormsAuthentication and Back Button

    That's how the user does log out. If they then make a request to the server for one of the pages they are redirected to the log in page. My problem is that they can still use the back button to get the pages they looked at while they were logged in because these are stored locally in the user's machine's cache. The browser doesn't need to request the pages from the server meaning FormsAuthentication isn't used.

    As I said above, I know how to prevent pages being stored in the user's machine's cache but doing this means the user can't use the back button while they are still logged in. I want them to be able to use it while logged in but if they click it after they've logged out I wan't them to be redirected to the the log in page

  4. #4

    Re: FormsAuthentication and Back Button

    What method are you using to stop the data from being cached? Also, this may be browser dependent - are you expecting a certain browser version?

  5. #5
    Join Date
    Apr 2008
    Posts
    43

    Re: FormsAuthentication and Back Button

    I'm not preventing data from being cached. If I did it would solve the problem of the user hitting the back button after they've logged out but it would also mean they could not use the back button while they are logged in and I'm hoping to retain this functionality. Preventing the data from being cached is my final option if I can't find another way of doing it.

    I use Natwest online banking and if you log out and then try to go back it seems to actually change the page in the history as you are shown the log in screen but you can still use the forward button. Anyone got an idea of how to do it this way?

  6. #6
    Join Date
    Nov 2007
    Location
    .NET 3.5 / VS2008 Developer
    Posts
    624

    Re: FormsAuthentication and Back Button

    can't you clear the cache when the user logs out?

  7. #7
    Join Date
    Apr 2008
    Posts
    43

    Re: FormsAuthentication and Back Button

    That could work. How do you clear the cache?

  8. #8
    Join Date
    Nov 2007
    Location
    .NET 3.5 / VS2008 Developer
    Posts
    624

    Re: FormsAuthentication and Back Button

    there is probably another way, but this is one way.

    http://en.csharp-online.net/Clear_In...Explorer_cache

  9. #9
    Join Date
    Mar 2002
    Location
    St. Petersburg, Florida, USA
    Posts
    12,125

    Re: FormsAuthentication and Back Button

    Quote Originally Posted by eclipsed4utoo
    there is probably another way, but this is one way.

    http://en.csharp-online.net/Clear_In...Explorer_cache
    That has a number of down-sides, including clearing things other than pages which require the user to be logged in.

    If the pages are already "active" (most aspx pages are...html pages may not be), then one alternative is to only allow the client to cache certain items, and get other information from the server on each view.

    This will trigger a round trip and the page can be re-directed. If the transfered content is "light", then the performance issue will be minimal.

    This has additional benefits (for example it prevents the user from making a copy of the cache while logged it).....
    TheCPUWizard is a registered trademark, all rights reserved. (If this post was helpful, please RATE it!)
    2008, 2009,2010
    In theory, there is no difference between theory and practice; in practice there is.

    * Join the fight, refuse to respond to posts that contain code outside of [code] ... [/code] tags. See here for instructions
    * How NOT to post a question here
    * Of course you read this carefully before you posted
    * Need homework help? Read this first

  10. #10
    Join Date
    Apr 2008
    Posts
    43

    Re: FormsAuthentication and Back Button

    thanks for your help everyone. I managed to come up with a solution using javascript and cookies:

    when the user logs in a cookie is created. when the user logs out the cookie is deleted. in the onload of every page a javascript function is run which looks to see if the cookie exists. if it doesn't then the user is redirected to the log in page. quite simple really. not sure why it was giving me such a headache

  11. #11
    Join Date
    Nov 2007
    Location
    .NET 3.5 / VS2008 Developer
    Posts
    624

    Re: FormsAuthentication and Back Button

    Quote Originally Posted by johntheface View Post
    thanks for your help everyone. I managed to come up with a solution using javascript and cookies:

    when the user logs in a cookie is created. when the user logs out the cookie is deleted. in the onload of every page a javascript function is run which looks to see if the cookie exists. if it doesn't then the user is redirected to the log in page. quite simple really. not sure why it was giving me such a headache
    so you are using client-side scripting for security? What if somebody disables javascript in their browser?

  12. #12
    Join Date
    Apr 2008
    Posts
    43

    Re: FormsAuthentication and Back Button

    sorry, i should have said from the outset that this is a web-application rather than a website. if they disable javascript the application won't work at all

  13. #13
    Join Date
    Nov 2007
    Location
    .NET 3.5 / VS2008 Developer
    Posts
    624

    Re: FormsAuthentication and Back Button

    Quote Originally Posted by johntheface View Post
    sorry, i should have said from the outset that this is a web-application rather than a website. if they disable javascript the application won't work at all
    it's still not that secure. You can easily edit the client-side code(view source from any browser), save as an .aspx file, then open it without the javascript checking for the cookie.

    Why don't you do the checking of the cookie on the server side using the Page_Load event?

    I have a similar situation where I have a number(6-7) of web applications that are secured. I use the web.config file and the FormsAuthentication class to do all the re-routing if the user isn't authenticated.

  14. #14
    Join Date
    Apr 2008
    Posts
    43

    Re: FormsAuthentication and Back Button

    could you give me an example?

    i wouldn't have thought it would work because when the user hits the back button there is no interaction with the server, the page is just pulled straight from the cache. this means i can't use any c# code

  15. #15
    Join Date
    Oct 2006
    Posts
    181

    Re: FormsAuthentication and Back Button

    Use frames. Have the content frame expire immediately.

    < meta http-equiv="expires" content="-1" />

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured