2

In my MVC 4 application, I am using a BaseController to execute a few processes whenever any of my other controllers get hit, one of which is checking if a user is logged in or not.

I've noticed that this is a common issue across design patterns, frameworks, what-have-you. Sadly, I could not find a solution.

Let's keep this short and sweet: how can we prevent the back button from allowing unauthorized access to my MVC 4 pages?

Kehlan Krumme
  • 7,101
  • 12
  • 51
  • 96

2 Answers2

1

One possible issue is the page being in browser cache. Consider adding some anti caching code to the page initialization.

 Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
 Response.Cache.SetNoStore();

Here is are some other questions with some implementation options.

Disable browser cache for entire ASP.NET website

How do I add site-wide no-cache headers to an MVC 3 app

Community
  • 1
  • 1
ericdc
  • 10,727
  • 4
  • 23
  • 33
  • Is it good practice to clear the cache upon logout? This was an idea I had initially, however I never tried implementing it. – Kehlan Krumme Jun 17 '13 at 23:36
  • For dynamic content I think it is a good idea to not let the browser cache those pages to begin with. I don't know what you could do to clear cache on logout as the browser caches each resource (page, css, etc) separately. If the url is cached in the browser going back to it will show the previous state of the page unless you do a refresh, clear cache, or change the url with some querystring. – ericdc Jun 17 '13 at 23:38
  • I see. Well, it looks like I may have to resort to disabling caching, even though my content isn't what I'd call "dynamic." I'll consult my colleague and see what he prefers. Thanks! – Kehlan Krumme Jun 17 '13 at 23:40
  • Haven't gotten back to it yet, I'll probably end up revisiting this portion of the site either today or tomorrow. I'll be sure to come back and post about what solution we ended up with! It very well could be yours. – Kehlan Krumme Jun 18 '13 at 17:37
  • It's been a long time, and our project is now structured to handle the Session object much more securely, however this is still a good solution for the posted question. Thank you. – Kehlan Krumme Aug 08 '13 at 22:49
0

You should try this: https://stackoverflow.com/a/2969537/957921

Is about adding an Attribute to the Action Methods to avoid browser cache.

Community
  • 1
  • 1
thepirat000
  • 10,774
  • 4
  • 38
  • 63