0

I have an ASP.net MVC 3 app using razor, and when using the default AccountController to log out the current user, I have picked up a security issue. After clicking log out (_LogoutPartial view), I get redirected to Log On page. Fine, but when I click Back on the browser, it allows me back into the web application and does not ask for me to log on.

The route with parameters is as follows:

routes.MapRoute(
                "Person", // Route name
                "Person/{profileName}/{action}/{id}", // URL with parameters
                new { controller = "Person", action = "Index", id = UrlParameter.Optional } // defaults
            );
//example http://localhost:1946/Person/JoeBlack/ListTeamMembers

It seems the {profileName} is still active in the session (?) and allowing the call to the controller. However the controller action {ListTeamMembers} has the [Authorize()] attribute, so Im not sure how its letting the user in...

Blyde
  • 2,183
  • 2
  • 16
  • 15
  • No, they are just seeing the page from cache. Or you aren't logging them out properly. – Andrew Barber May 20 '12 at 20:50
  • Thanks Andrew. Does that mean I need to have a check on every Action method, checking whether there is an active user session, and if not, redirect to login? – Blyde May 20 '12 at 21:00
  • 1
    That is what the Authorize attribute does. The problem is the browser isnot trying to load the page again at all once they press [back], it is just showing them the cache. Implementing no caching policies on protected controller actions would help. – Andrew Barber May 20 '12 at 22:17

1 Answers1

1

When you press the Back button on your browser, the last page is retrieved from the cache of the browser. The server is never hit. The user is no longer authenticated. This means that if he attempts to perform some action and sends an HTTP request he will be redirected to the LogOn page. The way to prevent this from happening is by excluding all authenticated pages from the client browser cache. You could have a custom NoCache action filter for this job.

Community
  • 1
  • 1
Darin Dimitrov
  • 960,118
  • 257
  • 3,196
  • 2,876