ASP.net: cache issue on logout

Question

ASP.net: cache issue on logout

I can't find the message about the cache on logout, so I'm going to ask this question. If there is a similar question. Please let me know.

I have a Logout page that basically calls the SignAuthentication signout method and then redirects the user to the login page. It works fine, but the problem is that the user can click the browser button and get the cached page. I tried to set the no-cache header on my main page, but it doesn't work.

Can anyone point me to an article or tutorial or write some tips on how you handle this situation?

thanksgiving

0

asp.net

Jack Dec 17. '08 at 16:40

source to share

7 replies

Darin Dimitrov · Answer 1 · 2008-12-17T19:14:52+0000

Depending on your requirements, a possible solution might be to set the Cache-Control header to "no-cache" on every authenticated page. This will prevent pages from being cached on the stream. This can be achieved by writing a custom HttpModule that will set the header :

// Prevent the browser from caching the ASPX page
Response.Cache.SetNoStore();

You can also set this in the HEAD section of the page by adding the following line of code:

<meta http-equiv="Cache-Control" content="no-cache" />

By doing this, if the user clicks the back button after they are logged out, they will be redirected to the login form instead of seeing the cached version of their last page, which can be a problem if they are using a public computer.

Robert C. Barth · Answer 2 · 2008-12-17T23:52:43+0000

If you are using forms authentication, make sure the forms authentication cookie is removed when the user logs off. As soon as the user does something on the cached page (on the page they clicked the back button), the site will ask the user to re-login and then redirect back to the original page with fresh data, Viola!

Also, as far as page caching is concerned, you need to set quite a large number of headers to disable the caching mechanism in the browser and proxies:

"Expires" - set the date in the past
"Last-Modified" - set the current date / time
"Cache-Control" - set "no-cache, must-revalidate"
"Pragma" - set "no-cache"

This should result in the page being unavailable. Date / time must be in RFC1123 format ("R" format specifier in .net, eg "Mon, 17 Apr 2006 21:22:48 GMT"). You would accomplish it like:

Response.AddHeader("Expires", new DateTime(1940, 1, 1).ToString("R"));
Response.AddHeader("Last-Modified", DateTime.Now.ToString("R"));
Response.AddHeader("Cache-Control", "no-cache, must-revalidate");
Response.AddHeader("Pragma", "no-cache");

Or something similar, depending on where you want to add all the headers. I've had great success with this in many browsers and proxies, but nothing is crazy when it comes to page caching.

Chris van opstal · Answer 3 · 2008-12-17T16:50:27+0000

There is no reliable way to accomplish this. The user ultimately has control over the cache settings, and the no-cache headers cannot override them.

Is there a specific issue you are trying to address here (security?), Or are you just trying to make sure users don't see stale data?

azamsharp · Answer 4 · 2008-12-17T17:12:14+0000

This is a difficult problem. You can create a base page, and in the constructor you can check if the person is registered or not. If the person is not registered, this is just a redirect to the login page. This base page will be inherited by all other ASP.NET pages.

FlySwat · Answer 5 · 2008-12-18T00:03:59+0000

IE6 seems to ignore some cache headers.

Another ontop method of cache headers is some client-side javascript to check for authentication cookie and use history.Forward () if it doesn't exist.

Nathan · Answer 6 · 2009-03-02T19:13:28+0000

Add this to global.asax and set no-cache headers for all pages in the web app. Make sure disabling caching is really what you want to do, because caching is a performance advantage.

You can of course also apply the same Response.Cache commands to pages individually.

This works in FireFox 3, IE7 and somewhat in Opera 9.6. (In Opera, it will work if you don't send any messages. If you do, the page will be accessible from the first button, but not after that.)

   protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
    {
        if (!Request.Path.Contains("/Content/")) //We WANT images, css, javascripts to be cached!
        {
            //Otherwise, all of our pages contain sensitive information, and we don't want them cached.
            Response.Cache.SetCacheability(HttpCacheability.NoCache);
            Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches); //for Opera. May only work on https sites
            Response.Cache.SetNoStore();
        }
    }

Nikshep · Answer 7 · 2012-08-26T04:05:37+0000

There is no way to actually stop the behavior of people who have removed the back button, turned it off, but the user will still have shortcut controls for any browser, my suggestion would be that for all those pages you want to get users to sign in. Put them in a method POST

, not a regular post GET

. What it would do is when the user clicks the back button for that url, the browser will prompt the user with a warning that the latest data is being cached for this request, and there will also be a call to the server where the form authentication will be done ...

A bit rough using the post where get might work, but it solves this problem.

ASP.net: cache issue on logout

More articles: