Logout issue with browser back button

Question

I have created Login/ Logout functionality using ASP.Net MVC 4. I used my own created form for authenticate users against Active Directory. It is working fine with the functionality.

Still there is a big issue in security. Once user click on the logout link he/ she successfully logged out and redirected to login form again. Code in the controller looks like below.

    public ActionResult Logout()
    {
        // Tried to include below 3 lines in _Layout.cshtml as well. But not identifying.
        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
        Response.Cache.SetNoStore();            

        Session.Abandon();              

        return RedirectToAction("Login");
    }

BUT, once Browser back button clicked, the user can go back to the other pages and navigate thru pages.

I went thru several solutions, different approaches but none worked out. Seems the MVC approach is very different from ASP.NET forms. Appreciate your help on this.

(I'm looking to solve this using C#/ MVC way. Not using JavaScript to disable/ close the browser on logout.)

UPDATE: Code fragments

    [HttpPost]
    public ActionResult Login(LoginModel authUser)
    {
        // Call Helper to get LDAP info. Will return username with groups or null      
        UserModel userProfile = LdapLoginHelper.AuthenticateUser(authUser);

        if (userProfile != null)
        {                
            Session["UserName"] = userProfile.UserName;
            Session["LdapGroups"] = userProfile.LdapGroups;

            if (userProfile.LdapGroups.Contains("Administrators"))
            {
                // To be implemented                   
            }
            else
            {
                // To be implemented      
            }

            // Successful login. Redirect to main page
            return RedirectToAction("Home", "Home");
        }
        else
        {
            // Invalid Login. Redirect to Login page
            return RedirectToAction("Login");
        }            
    }



    public ActionResult Logout()
    {
        // Not worked
        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
        Response.Cache.SetNoStore();
        Session.Abandon();

        /// Tried this too. Not worked.
        /// Session.Clear();
        /// FormsAuthentication.SignOut();

        //// Tried this also. Not worked.
        //// WebSecurity.Logout();

        return RedirectToAction("Login");
    }

In addition to this common _Layout.cshtml page header looks like below.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">
.
. 
.

Answer 1

add the following code in your global.asax page and remove first 3 lines from your logout() function.

protected void Application_BeginRequest()
{
    Response.Cache.SetCacheability(HttpCacheability.NoCache);
    Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
    Response.Cache.SetNoStore();
}

Answer 2

I've only used SetExpires with DateTime.Now that would match you local server time to the cookie. Using DateTime.UtcNow.Addminutes(-1) could be the real culprit here.

Also, if your are using forms authentication, I don't see your call to

FormsAuthentication.SignOut();

Answer 3

Adding the following attribute to any ActionResult methods which return secure pages in your controller(s) should work:

public class MyControllerForAuthorizedStuff
{
    [OutputCache(NoStore = true, Duration = 0, Location = OutputCacheLocation.None)]
    public ActionResult Index()
    {
        return View();
    }
}