Is there a way to keep a page from rendering once a person has logged out but hit the “back” button?

Question

I have some website which requires a logon and shows sensitive information.

The person goes to the page, is prompted to log in, then gets to see the information.

Answer 1

Please look into the HTTP response headers. Most of the ASP code that people are posting looks to be setting those. Be sure.

The chipmunk book from O'Reilly is the bible of HTTP, and Chris Shiflett's HTTP book is good as well.

Answer 2

It's a bit of a strain, but if you had a java applet or a flash application that was embedded and authentication was done through that you could make it so that they had to authenticate in, erm, 'real-time' with the server everytime they wanted to view the information.

Using this you could also encrypt any information.

There's always the possibility that someone can just save the page with the sensitive information on, having no cache isn't going to get around this situation (but then a screenshot can always be taken of a flash or java application).

Answer 3

Have the logout operation be a POST. Then the browser will prompt for "Are you sure you want to re-post the form?" rather than show the page.

Answer 4

You can have the web page with the sensitive be returned as an HTTP POST, then in most cases browsers will give you the message asking if you want want to resubmit the data. (Unfortunately I cannot find a canonical source for this behavior.)

Answer 5

From aspdev.org:

Add the following line on top of the Page_Load event handler and your ASP.NET page will not be cached in the users browsers:

Response.Cache.SetCacheability(HttpCacheability.NoCache)

Settings this property ensures that if the user hits the back-button the content will be gone, and if he presses "refresh" he will be redirected to the login-page.

Answer 6

You are looking for a no-cache directive:

<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">

If you've got a master page design going, this may be a little bit of a juggle, but I believe you can put this directive on a single page, without affecting the rest of your site (assuming that's what you want).

If you've got this directive set, the browser will dutifully head back to the server looking for a brand new copy of the page, which will cause your server to see that the user is not authenticated and bump him to the login page.