Web Connection
Browser Back button after logout
Gravatar is a globally recognized avatar based on your email address. Browser Back button after logout
  Kathy
  All
  Apr 4, 2019 @ 09:17pm

Hi Rick,
How can I prevent showing the page contents by back button after user logout?
Thanks,
Kathy

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Rick Strahl
  Kathy
  Apr 5, 2019 @ 12:57pm

You can expire the request immediately or in a short period of time so you can't back up and use the back button.

Response.AppendHeader("Expires","0")
Response.AppendHeader("Pragma","no-cache")
Response.AppendHeader("Cache-Control: no-cache, no-store, must-revalidate"); 

*** Generate your output 
Response.ExpandScript()

Now - how this is handled depends on the browser and the behavior does vary, but this is as much as you can control this process.

Also note when you do this you lose the ability to go back when it's the right thing to do - ie the user is entering data moves off by accident and then wants to come back to the page with content still there.

The only real safe way to ensure a full logout of a system is to log out and shut down the tab/browser.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Kathy
  Rick Strahl
  Apr 9, 2019 @ 07:58am

Thank you so much Rick.
I added the code plus Response.AddForceReload() to my layout page. I also added ReleaseSession() to the logout code and it looks like working but the only problem is that if I keep on going backward I get this by which I can re-submit the login form.

Is this what you mentioned as different behaviors on different browsers or would you think I'm missing something.
Thanks again,
Kathy

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Rick Strahl
  Kathy
  Apr 9, 2019 @ 12:10pm

Well you can't have it both ways 😃 That's the side effect of removing caching - you're now making the app harder to use for your users that are logged in because they also can't navigate backwards to recover.

If you remove caching you can't navigate back without having to resubmit the form - you can refresh at which point your server will get hit again and you are hopefully forcing the user to log back in at that point (if you previously logged out).

So that's expected - and proper - behavior for the browser.

In the normal context of an application that has proper navigation flow nobody should be using the back button. Lots of applications (especially banking applications) do just that BTW, so this is not uncommon.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Kathy
  Rick Strahl
  Apr 9, 2019 @ 12:39pm

Sorry Rick but I'm not sure if I've got this completely.
My problem is that when the users gets this message , they're NOT forced to login again and they'll be logged in just by refreshing the page which feels insecure.
So is the login data still cached?!
And is there anything I can do on the server side?
I can see some "document.reload" solutions but not sure how to use them correctly. Seems none works! Or I'm lost 😃

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Rick Strahl
  Kathy
  Apr 9, 2019 @ 01:41pm

if they get that message, the browser forces a refresh from the server. Which means you get to check whether the user is logged in or not and if not force them to log in again. IOW, a non-logged in user can't get back to the form data. If you are logged in you can probably just refresh and the page should reload with the data you had there.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Kathy
  Rick Strahl
  Apr 11, 2019 @ 06:44am

Thank you so much Rick.
You were absolutely right as always.
I was sure I'd taken care of it but I had not!
Looks like working they way users are happy with.
Thanks again.
Kathy

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Rick Strahl
  Kathy
  Apr 12, 2019 @ 12:31pm

The behavior definitely changes when you do this and some things that are very useful for properly logged in users goes away. For example you can't use the back button to go back to a previously submitted form and rescue that data when you legitamitely need to. However, if you follow proper post back ettiquette (ie. post back to the same page that displayed the content in the first place) then there's little need for this. Back Button usage should never be on the user's mind unless they do something stupid like open a new site by typing into the address bar. (Disclaimer: I do this all the time and I'm happy when a site does allow me to get back 😃)

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Browser Back button after logout
  Kathy
  Rick Strahl
  Apr 15, 2019 @ 08:50am

Thanks for your precious advice on this.
I'll consider it for sure.
Regards,
Kathy

© 1996-2019