1

After a User Logs-out the page is redirected to Login.aspx page but after pressing the Back Button he is able to see the previous pages.

I have already used JavaScript to disable the Back Button My Logout.aspx is as Follows:

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Logout.aspx.vb" Inherits="Logout" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="-1" />
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />
    <title>Untitled Page</title>
        <script type="text/javascript" language="Javascript">
        history.go(1);
    </script>
</head>
<body onload="changeHashOnLoad(); ">
    <form id="form1" runat="server">
    <div>

    </div>
    </form>
</body>
    <script type = "text/javascript">
    function disableBackButton() {
        window.history.forward();
    }
    setTimeout("disableBackButton()", 0);
</script>
    <script type="text/javascript">
    function noBack() { window.history.forward() }
    noBack();
    window.onload = noBack;
    window.onpageshow = function(evt) { if (evt.persisted) noBack() }
    window.onunload = function() { void (0) } 
</script>
</html>

And Logout.aspx.vb as Follows:

Imports System.Data.SqlClient
Imports System.Data

Partial Class Logout
    Inherits System.Web.UI.Page

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

        Dim strHostName As String = System.Net.Dns.GetHostName()
        Dim clientip As String = GetIpAddress()
        Dim params() As SqlParameter = New SqlParameter(6) {}
        params(0) = New SqlParameter("@compname", strHostName)
        params(1) = New SqlParameter("@ip_add", clientip)
        params(2) = New SqlParameter("@mac_add", "")
        params(3) = New SqlParameter("@login_id", Session("login").ToString())
        params(4) = New SqlParameter("@user_name", Session("topusr").ToString())
        params(5) = New SqlParameter("@login_status", "Logout Success")
        params(6) = New SqlParameter("@counted", "Y")
        Dim cnString As String = ConfigurationManager.ConnectionStrings("patravaliConnectionString").ToString
        Dal.ExecuteNonQuery(cnString, CommandType.StoredProcedure, "sp_audit1", params)

        Response.Cookies.Add(New HttpCookie("Asp.Net_SessionId", ""))
        Response.Cookies.Add(New HttpCookie("ASMSAUTH", ""))

        Response.Cache.SetCacheability(HttpCacheability.NoCache)
        Response.Cache.SetExpires(Now.AddSeconds(-1))
        Response.Cache.SetNoStore()

        Response.AppendHeader("Pragma", "no-cache")
        Page.Response.Cache.SetCacheability(HttpCacheability.NoCache)
        System.Web.Security.FormsAuthentication.SignOut()
        Response.Redirect("login.aspx")
        'FormAuthentication.Signout()

        Response.Buffer = True
        Response.ExpiresAbsolute = DateTime.Now.AddDays(-1D)
        Response.Expires = -1500
        Response.CacheControl = "no-cache"

        'Response.Buffer=<SPAN style="COLOR: blue">true;<o:p></o:p>
        'Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);
        'Response.Expires =-1500;
        'Response.CacheControl = "no-cache";
        'if(Session["SessionId"] == null)
        '{
        ' Response.Redirect ("WdetLogin.aspx");
        '}
        '}
        '

        Session("topusr") = ""
        Session("topdept") = ""
        Session("usercd") = ""
        Session("branch") = ""
        Session("prt") = ""
        Session("deptcd") = ""
        Session.Abandon()

        Session.Abandon()
        Session.Clear()
        Session.RemoveAll()

        Application("genericstr") = "uu"
        Response.Redirect("~/Login.aspx")
    End Sub
    Public Function GetIpAddress() As String
        Dim stringIpAddress As String
        stringIpAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
        If stringIpAddress Is Nothing Then
            'may be the HTTP_X_FORWARDED_FOR is null
            stringIpAddress = Request.ServerVariables("REMOTE_ADDR")
            'we can use REMOTE_ADDR
            Dim add As String = HttpContext.Current.Request.UserHostAddress
        End If
        Return stringIpAddress
    End Function
End Class

The previous page which is viewed is just a Cache because any changes made on that page redirects it to home page. But all previous pages contain information which should only be visible to the Logged-In person.

Russ Cam
  • 124,184
  • 33
  • 204
  • 266
Nitish Andola
  • 114
  • 1
  • 13
  • Did you use SetCacheability on the other pages as well? And don't rely on JavaScript to disable back button it can be circumvented. – Crowcoder Sep 25 '14 at 09:44
  • 1
    Nitish Andola -- **Check this Link** : http://stackoverflow.com/questions/16337149/how-to-clear-browser-cache-on-browser-back-button-click-in-mvc4 – Rahul Jain Sep 25 '14 at 09:45
  • @Crowcoder Should I apply it on every page of my Application as it contains approx 70 pages. – Nitish Andola Sep 25 '14 at 10:12
  • No, you shouldn't have to do it on all 70 pages especially since it is more of a suggestion than anything. It asks the browser to cache or not but the browser could ignore it, though all browsers probably honor it. This is an age old question with no good answer. Ever logged out of your bank website and got a message requesting you close out all browser windows? This is why. – Crowcoder Sep 25 '14 at 10:37
  • @RahulJain Thanks a lot For the Link and Help – Nitish Andola Sep 25 '14 at 11:19
  • @Crowcoder Thanks a lot For the Link and Help I applied it to Global.axas – Nitish Andola Sep 25 '14 at 11:20

0 Answers0