Is there a way to keep a page from rendering once a person has logged out but hit the "back" button?

2018-06-19 19:13:25

I have some website which requires a logon and shows sensitive information.

The person goes to the page, is prompted to log in, then gets to see the information.

The person logs out of the site, and is redirected back to the login page.

The person then can hit "back" and go right back to the page where the sensitive information is contained. Since the browser just thinks of it as rendered HTML, it shows it to them no problem.

Is there a way to prevent that information from being displayed when the person hits the "back" button from the logged out screen? I'm not trying to disable the back button itself, I'm just trying to keep the sensitive information from being displayed again because the person is not logged into the site anymore.

For the sake of argument, the above site/scenario is in ASP.NET with Forms Authentication (so when the user goes to the first page, which is the page they want, they're redirected to the logon page - in case that makes a difference).

The short answer is that it cannot be done securely.

There are, however, a lot of tricks that can be implemented to make it difficult for users to hit back and get sensitive data displayed.

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(Now.AddSeconds(-1));
Response.Cache.SetNoStore();
Response.AppendHeader("Pragma", "no-cache");

This will disable caching on client side, however this is not supported by all browsers .

If you have the option of using AJAX then sensitive data can be retrieved using a updatepanel that is updated from client code and therefore it will not be displayed when hitting back unless client is still logged in.

Cache and history are independent and one shouldn't affect each other.

The only exception made for banks is that combination of HTTPS and Cache-Control: must-revalidate forces refresh when navigating in history.

In plain HTTP there's no way to do this except by exploiting browser bugs.

You could hack around it using Javascript that checks document.cookie and redirects when a "killer" cookie is set, but I imagine this could go seriously wrong when browser doesn't set/clear cookies exactly as expected.

From aspdev.org:

Add the following line on top of the Page_Load event handler and your ASP.NET page will not be cached in the users browsers:

Response.Cache.SetCacheability(HttpCacheability.NoCache)

Settings this property ensures that if the user hits the back-button the content will be gone, and if he presses "refresh" he will be redirected to the login-page.

链接地址: http://www.djcxy.com/p/55732.html

上一篇: 浏览器onload事件点击后退按钮时？

下一篇: 有一种方法可以让一个人一旦注销但是点击“返回”按钮就不会呈现页面？