I have an ASP.net MVC 3 app using razor, and when using the default AccountController to log out the current user, I have picked up a security issue. After clicking log out (_LogoutPartial view), I get redirected to Log On page. Fine, but when I click Back on the browser, it allows me back into the web application and does not ask for me to log on.
The route with parameters is as follows:
routes.MapRoute(
"Person", // Route name
"Person/{profileName}/{action}/{id}", // URL with parameters
new { controller = "Person", action = "Index", id = UrlParameter.Optional } // defaults
);
//example http://localhost:1946/Person/JoeBlack/ListTeamMembers
It seems the {profileName} is still active in the session (?) and allowing the call to the controller. However the controller action {ListTeamMembers} has the [Authorize()] attribute, so Im not sure how its letting the user in...