Currently working on an ASP.NET MVC 3.0 application and using FormsAuthentication
.
When the user clicks the Logoff link, it calls the following:
public ActionResult LogOff()
{
FormsAuthentication.SignOut();
return RedirectToAction("Index", "Home");
}
Works great!
But if the user clicks the BACK button, he gets to see his previous page (although he won’t be able to do anything since the [Authorize]
attribute is set) and we didn’t want that.
After many searches and posts regarding this subject, I ended up creating a custom ActionFilter called [NoCache]
which is placed right underneath each [Authorize]
attribute I have.
The [NoCache]
attribute looks like this:
public class NoCacheAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
HttpContext.Current.Response.Cache.SetValidUntilExpires(false);
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();
}
}
It seems to work but I’m curious to know if this seems like the appropriate approach to use (or not). Are there any known issues I’m not aware of in using this technique?
In addition, I’ve been told that if I had an SSL Certificate then I wouldn’t need to do this but instead, create and set an HTTP Header with Cache-Control: no-cache
which would, ultimately, make all my https pages not cached.
Can anyone confirm this? If the above is true, then why would I create a custom ActionFilter?
Feel free to share any thoughts or better approaches…
Keep in mind, the ultimate goal is to make sure a user does not see his previous page(s) when clicking the BACK button after he’s been signed off (FormsAuthentication.SignOut();
)
Thanks