当用户在 asp.net c# 中注销时如何禁用浏览器中的后退按钮

Question

Our problem is we are able to clear session on logout.

But if a user clicks the back button then he/she can go through all previous screens.

But the advantage is that on a single click on any of of such previously surf page bring user to login page back,we had done that. But our requirement is we should no allow user to go through the previously surf page.

Answer 1

You need to force the cache to expire for this to work. I'm looking for the code sample for you.

EDIT
Found this for you, its already been addressed here on SO.

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache)

Here...

Answer 2

write this code in master page in page load event

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
Response.Cache.SetNoStore();

and write this code in Login page in head section

<script type="text/javascript">
window.history.forward(-1);
</script> 

Answer 3

You can't "disable" the back button. There are numerous "tricks" that i've seen that can clear out the back history, but these are unreliable and they don't work from browser to browser, or even version of browser to version of browser.

As others have said, the correct method is invalidate the cache, along with server side validation that the session is no longer valid if they try to resend data. Also, Response.Redirect works better than a postback, since that causes a get rather than a post.

Answer 4

For ASP.NET pages you can use Response.CacheControl to control how a page is stored in a users cache. Other web development languages will utilize something similar.

Answer 5

You could go Outlook Web Access style, and simply have JavaScript close the current window/tab.

Also, you can make sure that your "logout" page is a postback. That will force the user on a Back button in most browsers to retry the postback, at which point you can detect that they are no longer logged in and can redirect them back to the login page.

Edit: Someone else mentioned a Response.Redirect. You could actually make your "logout" link go to a page that does a redirect, and ALWAYS redirect to a second "landing page". If the user clicks "Back", they will land on the redirect again and put them back where they started.

There's no way to prevent browser history so it's important to use a couple of methods together and don't plan on a user "not going backwards" to ensure your application security.

Answer 6

An earlier variation of the same question/answer:

Is there a way to keep a page from rendering after a person has logged out but hit the "back" button

Answer 7

This is the solution I found on Coding Solutions

in the master page

    protected void Page_Load(object sender, EventArgs e)
    {
        Response.ClearHeaders();
        Response.AppendHeader("Cache-Control", "no-cache"); //HTTP 1.1
        Response.AppendHeader("Cache-Control", "private"); // HTTP 1.1
        Response.AppendHeader("Cache-Control", "no-store"); // HTTP 1.1
        Response.AppendHeader("Cache-Control", "must-revalidate"); // HTTP 1.1
        Response.AppendHeader("Cache-Control", "max-stale=0"); // HTTP 1.1
        Response.AppendHeader("Cache-Control", "post-check=0"); // HTTP 1.1
        Response.AppendHeader("Cache-Control", "pre-check=0"); // HTTP 1.1
        Response.AppendHeader("Pragma", "no-cache"); // HTTP 1.1
        Response.AppendHeader("Keep-Alive", "timeout=3, max=993"); // HTTP 1.1
        Response.AppendHeader("Expires", "Mon, 26 Jul 1997 05:00:00 GMT"); // HTTP 1.1
    }

Control LoginStatus

    protected void LoginStatusUser_LoggedOut(object sender, EventArgs e)
    {
        Session.Abandon();
        FormsAuthentication.SignOut();
    }