Is there a way to keep a page from rendering once a person has logged out but hit the “back” button?

Question

I have some website which requires a logon and shows sensitive information.

The person goes to the page, is prompted to log in, then gets to see the information.

Answer 1

The short answer is that it cannot be done securely.

There are, however, a lot of tricks that can be implemented to make it difficult for users to hit back and get sensitive data displayed.

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(Now.AddSeconds(-1));
Response.Cache.SetNoStore();
Response.AppendHeader("Pragma", "no-cache");

This will disable caching on client side, however this is not supported by all browsers.

If you have the option of using AJAX then sensitive data can be retrieved using a updatepanel that is updated from client code and therefore it will not be displayed when hitting back unless client is still logged in.

Answer 2

You could have a javascript function does a quick server check (ajax) and if the user is not logged in, erases the current page and replaces it with a message. This would obviously be vulnerable to a user whos javascript is off, but that is pretty rare. On the upside, this is both browser and server technology (asp/php etc) agnostic.

Answer 3

I just had the banking example in mind.

The page of my bank has this in it:

<meta http-equiv="expires" content="0" />

This should be about this I suppose.

Answer 4

dannyp and others, no-cache does not stop caches from storing sensitive resources. It merely means that a cache cannot serve a resource it has stored without revalidating it first. If you wish to prevent sensitive resources from being cached, you need to use the no-store directive.