0

When a user clicks "Logout", the following (standard) action is successfully called:

    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult LogOff()
    {
        WebSecurity.Logout();

        return RedirectToAction("Login", "Account");
    }

The user is redirected to the Login Page.

When clicking "Back" in the browser, though, the user is able to still see the last page where he/she was still logged in. If he/she then tries to perform an action, the user is successfully redirected to the login page because he is not authorized anymore.

Is there any way I can prevent a logged out user from seeing authorized stuff by clicking "Back" in the browser? Each of my controllers has the attribute [Authorize], already. Thank you for your input!

peter
  • 2,103
  • 7
  • 25
  • 51
  • By not letting authorized pages being cached. There's more questions on this subject, try the search. – CodeCaster Jun 05 '13 at 07:55
  • [This question](http://stackoverflow.com/questions/16337149/how-to-clear-browser-cache-on-browser-back-button-click-in-mvc4) i somewhat similar and might help you. – Niklas Jun 05 '13 at 07:57

3 Answers3

2

Realistically, no, since what they're seeing is a cached version of the page in their browser. You could, I suppose, try to catch the back-navigation event with JavaScript, but I tend to find that practice highly annoying, and it's not all that hard to circumvent.

As you say, when the user attempts to perform any action, they are forced to authenticate again, so they really aren't seeing anything on a back-navigate that they weren't already privy to, so the real question is if there is justification for spending the time to fix what is likely a non-issue.

Tieson T.
  • 20,774
  • 6
  • 77
  • 92
1

Yes, you can do that

You need to add a small javascript function into the master page or on .aspx page as per your need.

<script type="text/javascript">
    window.history.forward();
    function noBack() { window.history.forward(); }
</script>

and on page body you can add

 <body onload="noBack();" onpageshow="if (event.persisted) noBack();" onunload="">

If user presses Back button on page, he will be sent to current page . as the history.forward code pushes the user back to current page. Thus user will not be able to go back.

Hope it will help.

Rajeev Bera
  • 2,021
  • 1
  • 16
  • 30
0

If you are using forms authentication then following is a answer for you.

Logout issue with browser back button

Community
  • 1
  • 1
Jalpesh Vadgama
  • 13,653
  • 19
  • 72
  • 94