Preventing Page Review after Logout with Forms Authentication
 
Published: 11 Jul 2005
Unedited - Community Contributed
Abstract
The inclusion of Forms Authentication in the .NET Framework has been a significant benefit to developers securing web-based applications. While pages can be secured server-side, local caching by browsers and proxy servers may allow a user to review information even after they have logged out. In some cases, this may present a risk to the user's confidential information. This article discusses three HTTP headers that can be used to prevent local caching of web pages, adding some protection to the user's data.
by Richard Dudley
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 104637/ 61

Introduction

The inclusion of Forms Authentication in the .NET Framework has made it significantly easier to protect web pages by requiring users to log in to a web application.  One problem with Forms Authentication is browser caching of secured pages.  After a user logs out of an application, they can still review secured pages by using the browser's Back button.  The user is only looking at local copies of pages they viewed while previously logged in, but this can be undesirable in many instances, and present a genuine security risk.

In this article, we will explore a few small coding changes you can make to prevent users from reviewing secured pages after logout.

Preventing Review of Secured Pages

In order to speed up the Internet experience and reduce load on web servers, all browsers keep locally cached copies of the visited pages for a specified amount of time.  Users can set a time limit or space limit in their browsers for the page cache, but few do.  When a browser requests a page from a web server, it checks the timestamp on that page to determine whether the content has changed.  If the timestamps match, the browser renders the local copy; if the timestamps differ, the browser requests the page again.  For the site visitor, it's usually good that the browser has a local copy of any page that does not change frequently, since it's faster to load locally than download everything again.  However, for the webmaster, this can be a problem.  When users log out of a site protected by Forms Authentication, they may still review the local copy of the pages they visited.  This can be a security issue, as well as a nuisance.  The timestamp of pages with dynamic content does not change when the page is loaded, since the timestamp is read from the file system, not set when the page is requested (note that pages with querystring parameters are not usually cached by browsers, as it is evident they are dynamic).  As such, browsers may keep displaying the same old content over and over, instead of requesting fresh content.

Another security problem can arise if proxy servers are in use.  When a browser requests a page through a proxy server, the proxy server compares the timestamp of the requested file to see if it has changed.  If the timestamps match, the proxy server sends its locally cached copy back to the browser.  In the past, if two users requested the same page, they may have received identical copies of the page.  If the page contained dynamic content for one user, another user may have seen something they should not have seen.  Most proxy servers seemed to have remedied this issue by comparing the user who requested the page, but that doesn't mean every ISP or corporation is using a recent version of its proxy server.

Fortunately, web programmers can send three HTTP headers to the browser that specify how long a page should be cached by the browser or proxy server, if at all.  These headers can be set in the HTML code, or set in directly in server-side code.  The three useful headers are Expires, Pragma: no-cache, and Cache-Control.

HTTP Headers Described

Information on using all three headers and how Internet Explorer supports them can be found at
http://support.microsoft.com/kb/q234067/.

Expires

The Expires header is part of both the HTTP 1.0 and 1.1 specifications, and should be supported by every major and minor browser in use.  Per the specification, the Expires header does not prevent local caching of the resource, but rather tells the browser to check for a new version after a particular date.  The Expires header is set to either an absolute date and time to indicate the expiration of the page's content, or a value of -1 to indicate immediate expiration. For your dynamically generated pages, it's suggested to set Expires to a value of -1; for static pages, or ones that change infrequently (daily or longer), it's suggested to set Expires to a specific date value slightly before the next expected update.

Also per the specification, using the browser's Back button should display pages even past their expiration date.  As such, setting the Expires header is not enough, but every page should have an Expires value.

Pragma: no-cache

This header is part of the HTTP 1.0 and 1.1 specifications.  The Pragma: no-cache header is not meant to control browser caching of server responses, but is intended to signal proxy servers to expire the request and properly forward any other similar requests to the web server.

Recent versions of Internet Explorer support the use of Pragma: no-cache to expire responses, but this implementation is not supported by version 5 or earlier, and may not be supported by many other browsers, either.  You may see this header in a number of examples online, but since it is actually part of the request, it is recommended you do not use it in the response stream.

Cache-Control

This header is part of the HTTP 1.1 specification only.  Most browsers and proxy servers in use today should support HTTP 1.1, but the browser option can be configured by the user.  It's probably safe to assume that devices contacting your site support this header, but you cannot count on that to be the case.

You can set Cache-Control to several values:

  • Public: Content can be stored in public shared caches.  Good for your home page and any other publicly available pages.
  • Private: Content can be stored only in private cache.  Proxy servers should not store the content unless they support private caching.  Useful for pages with user interaction; a better method is No-store (see below).
  • No-cache: Content may not be cached.  This is the highest security setting, and should be used for all pages that contain sensitive information.
  • No-store: A better form of Private.  Content may be cached for the length of the session, but not archived.

All applications should set the Cache-Control of their pages.

Setting HTTP Headers in HTML

Any of these three headers can be set in the <head> section of your web page, as shown below:

Listing 1: HTML HTTP Header Tags

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">

You will need to add these headers to every page, and set their values accordingly.  Internet Explorer versions 4 and 5 do not support the Cache-Control http-equiv tag, so Microsoft recommends setting this value as part of the Response object in server-side code.

Setting HTTP Headers in Server-side Code

In ASP.NET, a class named HttpCachePolicy has been introduced, which gives finer control over expiration and caching of content.  It is recommended that a developer use the HttpCachePolicy class rather than the Response.AddHeader() method to set caching policies.

Listing 2: HttpCachePolicy Properties

Response.Cache.SetExpires(DateTime.Parse("6:00:00PM"))
Response.Cache.SetCacheability(HttpCacheability.Private)

Note that the SetExpires() method only accepts a DateTime value.  Instead of passing -1 as a value, you will need to pass an absolute time (as above), or use the DateTime.Now property to pass in the current time.  According to the HTTP specifications, all absolute times in these headers should be set by Greenwich Mean Time to avoid any strange behavior when crossing time zones.

Additional properties and methods for the HttpCachePolicy class are detailed in the documentation for the 1.1 Framework and Beta 2 Framework.

An easy way to ensure these properties are set on every page is to create an abstract page class that inherits from the intrinsic Page class, and set these properties in the Page_Load or Page_Init handler of the abstract page class.  Then, every page in your application should inherit the abstract page.  This is a much easier way than copying HTTP headers into every ASPX page.

Summary

A simple coding change to a base page class can help ensure users cannot review pages after they log out of a website protected with Forms Authentication.  When used with Session.Abandon and proper expiration of the FormsAuthenticationTicket, you add additional security to your site, and help protect your user’s information.



User Comments

Title: page secure after logout   
Name: protect the page
Date: 2012-07-10 3:13:03 AM
Comment:
how can i protect the page after logout the page
Title: ya rab satrk werdak   
Name: walaa
Date: 2012-05-26 8:15:46 AM
Comment:
fjnvifdpojfviovnkj
Title: Gracias   
Name: Kikecerati
Date: 2012-05-09 2:45:30 PM
Comment:
Thank you su much.
Like Agyapal Sandhu wrote, with the next 3 lines you can secure you page don't takes cache.
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Title: LogoutProblem   
Name: Agyapal Sandhu
Date: 2012-03-16 12:43:10 AM
Comment:
This Code Really works... This was my great problem .I was saerching for it from at least a year... but nothing get relavant untill now.. Now i m really greatfull to Mr.Rituraj jain(torituraj2786@gmail.com)
Thank You Sir very Much...

protected void logout_OnClick(object sender, EventArgs e)
{
Session.Abandon();
Response.Redirect("login.aspx");
}
protected void Page_Init(object sender, EventArgs e
{
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
}
Title: ASP   
Name: ASP
Date: 2011-06-29 5:07:11 AM
Comment:
add this line to your secure page
Response.Cache.SetNoStore()

add this logout button
Session.Abandon()
Title: Help   
Name: Sasidhar
Date: 2011-05-02 12:53:55 AM
Comment:
I need code for logout button, i want to clear the session without closing the browser.
Title: Very good post   
Name: Sergio Reyes
Date: 2011-04-10 2:23:37 PM
Comment:
This info is invaluable.

Right now I'm developing with the ASP.NET MVC 2.0 Framework

Thanks a lot Richard
Title: Help   
Name: Michael
Date: 2011-02-21 1:48:14 AM
Comment:
Hi, need help. Firefox creates cache not just pages but also scripts. I tried your code but isn't working with Firefox 3.6.13

I placed the code inside Application_Start in the global.asax so it will be called in every request. But Firefox still creates a cache of the script. So when i update the script, firefox gets the cached script instead of the updated one in the server.

Can u help me with this? :(
Title: hai   
Name: aswathy
Date: 2011-02-02 10:31:49 AM
Comment:
After loging out when I press a browser's back button, it still shows the page visited before..
Title: Hi   
Name: Jijo (asp.net beginner)
Date: 2011-02-01 7:00:15 AM
Comment:
Thankz man.......
Title: Thanks   
Name: Mohit Chauhan
Date: 2010-11-15 2:40:15 AM
Comment:
thanks yar
Paresh Rathod
Title: logout problem solved   
Name: Rituraj jain(torituraj2786@gmail.com)
Date: 2010-10-05 3:53:30 AM
Comment:
use this code
protected void logout_OnClick(object sender, EventArgs e)
{
Session.Abandon();
Response.Redirect("login.aspx");
}
protected void Page_Init(object sender, EventArgs e
{
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
}
Title: problem with logout   
Name: gaurav modi(gaurav_04_89@yahoo.co.in)
Date: 2010-10-02 2:12:09 AM
Comment:
On clicking logout button i am redirect on login page but when i click on back button i am redirect to previous page which was opened last.
Title: working in IE & FF   
Name: Paresh Rathod
Date: 2010-09-08 5:30:44 AM
Comment:
working in IE & FF
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetNoStore()
Title: logout problem solved   
Name: Denny Joppan
Date: 2010-07-02 12:25:14 AM
Comment:
paste this code in your pageload of userhome
Response.Buffer= true;
Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);
Response.Expires =-1500;
Response.CacheControl = "no-cache";
if (Session["Username"] == null)
{
Response.Redirect ("Default.aspx");
}
Title: logout problem   
Name: prakhar jain
Date: 2010-06-17 3:57:04 AM
Comment:
After loging out when I press a browser's back button, it still shows the page visited before........
please help me

jain.patwa@gmail.com
Title: Logout problem   
Name: Divya
Date: 2010-06-08 8:00:39 PM
Comment:
After loging out when I press a browser's back button, it still shows the page visited before........
please help me

divyadalal101@gmail.com
Title: annd mand ka tola   
Name: RAjiv
Date: 2010-05-01 7:08:26 AM
Comment:
hoth ghuma siti baja aur siti baja ke bol ALL IS WELL
Title: logout problem   
Name: madhuvbabu
Date: 2010-04-08 5:31:53 AM
Comment:
Who can help me about log out im create a web site in .net that have log in and log out my problem about log out when you click hes back in previous page i wont to disable the back button hOW can i do thatttt
Title: Where in MasterPage?   
Name: Dave
Date: 2010-03-31 2:23:48 PM
Comment:
I am understanding the logic behind the code but I believe I am facing a semantic issue. Where exactly in Masterpage are we to add this code? I though it was in the source tags but it is not working for me.
Title: very usefull for me....   
Name: gopi
Date: 2010-03-20 5:30:53 AM
Comment:
hi , it s very useful
Title: Thanks a lot!!!   
Name: Jeetal
Date: 2010-03-11 3:47:50 PM
Comment:
Hi Komio,

Thanks you very much for providing the solution. A lot of users are facing this issue. As you suggested, I just added the following line to the MasterPage and it worked like a charm!

Page.Response.AppendHeader("Cache-Control", "no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
Title: Back Button Caching   
Name: Nikhil
Date: 2010-03-03 3:50:35 AM
Comment:
i tried your solutions...
it worked for me ...
thank you very much...
email-nikhil.niksnikhil.rupanawar@gmail.com
Title: clicking on back button after logout still opens the previous page viewed before logout   
Name: khemlal chhetri
Date: 2010-02-23 4:34:17 AM
Comment:
hi
i am working on asp.net 6 and i have created a log out button. now when i click on this button it redirects the page to login page. but when i click on the back tool of the web page it should not go back to the previous page before logging out. so please help me with the codes that i need for this log out.

please its urgent.

send me the reply at good7bad1@gmail.com or good7bad1@druknet.bt
Title: logout problem in rediffmail   
Name: Raghunath
Date: 2010-02-22 6:21:30 AM
Comment:
On clicking logout button i am redirect on login page but when i click on back button i am redirect to previous page which was opened last.
raghunath_raghu@rediffmail.com
Title: Logout   
Name: Manan
Date: 2010-02-04 10:37:54 AM
Comment:
Hi, I tried all the above solutionsgiven but noneof them worked. pls help me out @ manan.jadhav@gmail.com
Title: solution for logout problem   
Name: priya
Date: 2010-01-21 12:31:00 AM
Comment:
HI komio
The solution provided by you has worked for me.
Thanks for the solution.
Title: Logout   
Name: Annu
Date: 2009-12-14 12:45:36 AM
Comment:
On clicking logout button i am redirect on login page but when i click on back button i am redirect to previous pagewhich i opened last.
Title: Logout problem solution [Update]   
Name: komio
Date: 2009-12-07 8:31:33 AM
Comment:
Oh! I almost forgot! DONT use Page.Response.Cache methods!
It will rewrite all headers added with Page.Response.AppendHeader function and browser still will be caching your page!
Just add this line in master page:

Page.Response.AppendHeader("Cache-Control", "no-store, no-cache, must-revalidate, post-check=0, pre-check=0");

It all what you need to work.
Title: Logout problem solution   
Name: komio
Date: 2009-12-07 8:25:31 AM
Comment:
Author of the article forgot about some features of Cache-Control header. Setting value of that header to "no-cache" is insufficient. Browser caching page anyway. To complete disable we should set this for value like below:

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Its working for me in Firefox 3, and IE8. With this setting of that header, Expires may be omitted - it doesn't make any difference.

It is pretty old article but i hope my answer will help someone.
Title: logout problem   
Name: hassan
Date: 2009-10-07 5:51:42 AM
Comment:
Hello
On clicking logout button i am redirect on login page but when i click on back button i am redirect to my homepage.. Plz help.. Reply me on
Title: Logout Problem   
Name: Kundan Singh
Date: 2009-09-14 12:18:57 AM
Comment:
Hello
On clicking logout button i am redirect on login page but when i click on back button i am redirect to my homepage.. Plz help.. Reply me on kundansingh143@gmail.com
Title: Genric Error   
Name: Dev
Date: 2009-09-04 9:04:08 PM
Comment:
I Want Show A one Error Page Of Every error page.If In no data has present then Show Generic Error Page.
Title: logout Problem   
Name: wpro
Date: 2009-07-22 11:01:31 AM
Comment:
on the click of logout i am going to logout but i press back button i am redirecting to the previous page which i was using, no one code is working which in given comment all are i used
Title: Logout Problem   
Name: Ali Asgar
Date: 2009-07-12 2:03:59 AM
Comment:
Hello
On clicking logout button i am redirect on login page but when i click on back button i am redirect to my homepage.. Plz help.. Reply me on a.tajkhan@gmail.com
Title: Logout & clear session problem   
Name: Ajith.T
Date: 2009-07-11 1:26:45 AM
Comment:
on clicking logout, iam redirected to login page.from the login page, when i click on back button, i am redirected to the last page i visited
please help me.
send the result on my id ajith.thelaprath@gmail.com
Title: back button problem (please help me)   
Name: gaurav srivastava
Date: 2009-06-24 6:08:28 AM
Comment:
on clicking logout, iam redirected to login page.from the login page, when i click on back button, i am redirected to the last page i visited
please help me thank you
and send the result on my id iasgaurav@gmail.com
Title: back button problem   
Name: gaurav
Date: 2009-06-24 6:04:59 AM
Comment:
on clicking logout, iam redirected to login page.from the login page, when i click on back button, i am redirected to the last page i visited
please help me thank you.
Title: Maduraiite   
Name: BeggerBoy
Date: 2009-05-19 3:44:31 AM
Comment:
Fine it's working for me...great job dude
Title: logout problem   
Name: uma shankar
Date: 2009-05-14 2:35:40 AM
Comment:
i m triaing for logout but back button redirects previous page.
please sort out my problem
Title: logout problem   
Name: Shreeshail
Date: 2009-05-04 10:13:03 AM
Comment:
I also have same problem i have used a link button for logout .when i click on it, it goes to the login page but on cicking on back button it again goes to the main page .i want to prevent it .can u help me.
Title: Logout Problem   
Name: Abhijit Roy of BESUS
Date: 2009-03-17 6:19:24 AM
Comment:
on clicking logout, iam redirected to login page.from the login page, when i click on back button, i am redirected to the last page i visited.
Title: THANKS   
Name: pooja
Date: 2009-03-16 3:41:28 PM
Comment:
I will try it
Title: logout control   
Name: siddharth
Date: 2009-03-09 6:25:21 AM
Comment:
hi,
whr to use this control? on master page or simple web page. I need code for that, i used following code plz tell me,if u find any error...

Session.Abandon();
Title: Logout   
Name: Navya
Date: 2009-03-03 12:33:27 AM
Comment:
Plz send me the code to navya.meka@gmail.com
Title: Logout   
Name: Navya
Date: 2009-03-02 11:56:25 PM
Comment:
Hi,first of all thanks for giving me the code of logout as

Session.Abandon();
HttpContext.Current.Response.Redirect("PageDesired.apsx", true);

In the Page Load method, call the following:

HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);

But it is not working in mozilla firefox it is only working in internet explorer can ther be any other solution to work the code in firefox also......
Title: cannot logout in asp programming   
Name: reshmispillai_10@yahoo.com
Date: 2009-02-09 5:59:46 AM
Comment:
in asp.net, after clicking log out button, i have redirected to the main page. but by clicking the browser's back button, am getting the previous page.
response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
response.Cache.SetCacheability(HttpCacheability.NoCache)
response.Cache.SetNoStore()

should i have to add any code further..?
please help me...
Title: need logout codin for asp   
Name: khushbu
Date: 2009-02-02 11:19:04 PM
Comment:
wanna know asp coding for logout. please mail me - kkhushbuu@gmail.com
Title: please send the code for me also   
Name: Bhaskar
Date: 2009-01-23 7:36:04 AM
Comment:
I also have the same problem when user clicks the back button it goes secure pages.....
send me to kbhaskar@ymail.com
Title: feedback   
Name: kunal sourav
Date: 2009-01-16 9:31:00 AM
Comment:
i used this code but it disables all page from back button
Title: Logout   
Name: anu
Date: 2009-01-07 1:23:56 AM
Comment:
I also have same problem i have used a link button for logout .when i click on it, it goes to the login page but on cicking on back button it again goes to the main page .i want to prevent it .can u help me please.hoping for ur help
my email id is abajracharya64@yahoo.com
Title: Logout   
Name: Mohsin
Date: 2008-11-27 2:36:01 AM
Comment:
i put this code on my logout button but it doesn't work
when i click on back button of brower it shows its all accessed pages active
Please sortout thise problem

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Title: log out   
Name: Dev
Date: 2008-11-25 5:53:36 AM
Comment:
after logout successfully when i pressed back button again it shows the last active page.can u assist me.
Title: logout problem   
Name: Manish kumar
Date: 2008-11-18 12:45:46 AM
Comment:
I cannot under stand this code
Title: logout problem   
Name: vijay shejawal
Date: 2008-10-30 3:35:08 AM
Comment:
After logout how to prevent user by clicking Back button of the browser?

Please contact me at shejawalvijay@yahoo.com
avadhut.ketkar@rediffmail.com
Title: Query   
Name: Avadhut
Date: 2008-10-13 5:18:04 AM
Comment:
After logout how to prevent user by clicking Back button of the browser?

Please contact me at avadhut.ketkar@rediffmail.com
Title: Title: logout problem   
Name: Satya Prakash
Date: 2008-09-28 2:21:18 PM
Comment:
when i click logout then i remove all session....
and also check on page lode of second page that session is present then it shows other wise i redirect to first page... please help me
satya_sp786@rediffmail.com
Title: logout problem   
Name: shankar
Date: 2008-07-29 9:58:28 AM
Comment:
is there any namespace to add
Title: logour problem   
Name: silenceraju@yahoo.com
Date: 2008-06-16 8:50:52 AM
Comment:
i want to logout from the current session and take the control back to the home page,,,and also ..should i take an hyperlink or a link button to show logout???
Title: logout problem   
Name: nanda
Date: 2008-06-13 6:15:52 AM
Comment:
the following code is working fine for IE & firefox but not in Opera

Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Title: cannot logout in asp programming   
Name: vasanth.wellwisher@gmail.com
Date: 2008-06-11 9:23:44 PM
Comment:
in asp.net, after clicking log out button, i have redirected to the main page. but by clicking the browser's back button, am getting the previous page.
response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
response.Cache.SetCacheability(HttpCacheability.NoCache)
response.Cache.SetNoStore()

should i have to add any code further..?
please help me...
Title: Need the coding logout asp programming   
Name: atepines@yahoo.com
Date: 2008-05-29 3:09:14 PM
Comment:
logout problem(after logout when clicking on back button after logout still opens the previous page viewed before logout )...

Im using ASP...
Please...
Title: Need the coding logout asp programming   
Name: arezie
Date: 2008-05-04 10:35:18 PM
Comment:
i need the coding about logout asp programming.please email me azie_fatin3427@yahoo.com
Title: logout problem(after logout when clicking on back button after logout still opens the previous page viewed before logout )   
Name: vamshi
Date: 2008-04-16 1:43:26 AM
Comment:
I am using ASP.NET, the web page is abandoning and clear session when a user click logout link but they click the back button and it is still showing the previous page. How can it prevent the previous page after logout?
Please email me the solution at vamshimahi@gmail.com
Title: clicking on back button after logout still opens the previous page viewed before logout   
Name: Anu
Date: 2008-03-21 1:27:15 AM
Comment:
hey, this doesnt seem to work for me.pls let me know where iam wrong.
on clicking signoff, iam redirected to login page.from the login page, when i click on back button, i am redirected to the last page i visited.
here is what iam doing: on page load of the login page i have the following 3 lines of code:
response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
response.Cache.SetCacheability(HttpCacheability.NoCache)
response.Cache.SetNoStore()

Do i need to add some more code?

Pls help or send me the code to Ezhil.tify@gmail.com
Title: clicking on back button after logout still opens the previous page viewed before logout   
Name: pradeep
Date: 2008-01-09 11:01:50 AM
Comment:
hey, this doesnt seem to work for me.pls let me know where iam wrong.
on clicking signoff, iam redirected to login page.from the login page, when i click on back button, i am redirected to the last page i visited.
here is what iam doing: on page load of the login page i have the following 3 lines of code:
response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
response.Cache.SetCacheability(HttpCacheability.NoCache)
response.Cache.SetNoStore()

Do i need to add some more code?

Pls help or send me the code to pradeep.tiwari83@gmail.com
Title: clicking on back button after logout still opens the previous page viewed before logout   
Name: chirpy gal
Date: 2007-12-17 5:03:27 AM
Comment:
hey, this doesnt seem to work for me.pls let me know where iam wrong.
on clicking signoff, iam redirected to login page.from the login page, when i click on back button, i am redirected to the last page i visited.
here is what iam doing: on page load of the login page i have the following 3 lines of code:
response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
response.Cache.SetCacheability(HttpCacheability.NoCache)
response.Cache.SetNoStore()

Do i need to add some more code?

Pls help!
Title: Thanks ASP .NET   
Name: Punithkumar.R
Date: 2007-12-12 5:16:36 AM
Comment:
Thank u...
Title: Thanks   
Name: tsr
Date: 2007-11-01 11:10:26 PM
Comment:
Hey that is what i wanted Thanks so much
Title: succsseded   
Name: sanjay kuamr vishwakarma
Date: 2007-10-31 6:10:30 AM
Comment:
thank you sir
your code has solve my problem
Title: it doesn't work?????   
Name: barbod
Date: 2007-10-17 7:51:21 AM
Comment:
i test ur suggestions , but anything of them didn't work?!?!?!
why? please check them !
Title: logout problem   
Name: Abhi
Date: 2007-10-15 9:06:14 AM
Comment:
any body pls find the error in the below given code
"response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))"
Title: logout problem   
Name: Hernan
Date: 2007-06-28 4:16:23 PM
Comment:
Here is the code in ASP VBScript which works for both IE and Firefox
<%
Response.AddHeader "Pragma", "no-store"
Response.CacheControl = "no-store"
Response.Expires = -1
%>

It's the only way I did !
Title: logout problem   
Name: Hernan
Date: 2007-06-28 2:21:18 PM
Comment:
Rochak, please, could you tell me the code in ASP VBScript or ASP JavaScript which works for both IE and Firefox ?
Thanks!
Title: logout problem   
Name: Rochak Agrawal
Date: 2007-05-11 6:57:51 AM
Comment:
Here is the code.. which works for both IE and Firefox

response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
response.Cache.SetCacheability(HttpCacheability.NoCache)
response.Cache.SetNoStore()
Title: logout problem due to back button   
Name: chayan ray
Date: 2007-04-30 6:25:55 AM
Comment:
I am using ASP.NET, the webpage is abandoning and clear session when a user click logout link but they click the back button and it is still showing the previous page. How can it prevent the previous page after logout?
Please email me the solution at ray.chayan@gmail.com
Title: Back button after logout problem   
Name: Danny Brown
Date: 2007-04-17 11:04:41 AM
Comment:
I am using ASP.NET, the webpage is abandoning and clear session when a user click logout link but they click the back button and it is still showing the previous page. How can it prevent the previous page after logout? it would be secure risks. Please email me the solution at danny.brown@kcc.com
Title: Back Button log out problem   
Name: Hemant Garg
Date: 2007-04-11 7:28:08 AM
Comment:
I am using ASP and not ASP.Net,I am abandoning a session and clear session variable when a user clicks Logout link but when they pressing back button it's still showing the previous page.it should not show previous page when user clicks on back button after logout.
Please mail me the right solution.My mail ID is :
hemant@dtdc.com
Title: Back Button Log Out Problem   
Name: Deven
Date: 2007-02-15 2:41:01 AM
Comment:
All ur comments were quite useful..thanks..My situation is i m using ASP.NET 2.0, c# and the pages are using masterpage. Wat I want is that after I click ASP.NET's Logout control, I shall not be able to browse back to the pages i have just browsed before i logged out. I want to know if there is any way achieving that by setting HttpCachePolicy Properties at one place in code behind (masterpage) and all the other pages inheriting that property....Any suggestion would be quite useful...thanks
Title: Page Not displayed after update page   
Name: Vijay
Date: 2007-02-15 12:00:14 AM
Comment:
Hi all,

In my site when am update the edit user info page its prperly works in IE.But not works in Opera & Mozila...But the updation takes place in the database but the page is not displayed...Wats the reason?
Any idea Appriciate

Thanks&Regards,
Vijayakumar.R
vijayakumarbt@gmail.com
Title: Logout Problem   
Name: Rajesh P N
Date: 2007-01-29 5:31:33 AM
Comment:
I am using ASP and not ASP.Net,I am abandoning a session when a user clicks Logout link but when they pressing back button it's still showing the previous page.
Please mail me the right solution.My mail ID is
rajesh.pn@ajubanet.net
Thanks...
Title: Firefox problem   
Name: lomax
Date: 2006-10-30 10:58:34 AM
Comment:
found a code from a site (http://forums.asp.net/thread/1357789.aspx), this solves the logout problem for both IE and firefox. But still firefox can view it when browsing it offline (work offline) anyone has a solution for this??

Response.ClearHeaders();
Response.AppendHeader("Cache-Control", "no-cache");
Response.AppendHeader("Cache-Control", "private"); Response.AppendHeader("Cache-Control", "no-store");
Response.AppendHeader("Cache-Control", "must-revalidate");
Response.AppendHeader("Cache-Control", "max-stale=0");
Response.AppendHeader("Cache-Control", "post-check=0");
Response.AppendHeader("Cache-Control", "pre-check=0");
Response.AppendHeader("Pragma", "no-cache");
Response.AppendHeader("Keep-Alive", "timeout=3, max=993");
Response.AppendHeader("Expires", "Mon, 26 Jul 1997 05:00:00 GMT");
Title: not working in firefox   
Name: Deepak
Date: 2006-09-22 2:57:15 PM
Comment:
This works good in IE..not in firefox
Title: firefox still doesn't work   
Name: aaron
Date: 2006-09-15 1:31:51 PM
Comment:
I tried to add no-store to header and set header to no cache in code behind, both didn't work in firefox. it still let me go back. can you shed some more light on this?
thanks
aaron
Title: Confuse   
Name: Balamurugan.A
Date: 2006-09-13 2:09:36 AM
Comment:
Hi Sir,

I have inserted above three line meta coding in my all web page but it doesn't work when user logout.

please help me

Send ur answer in this mail
abalamurugan@cyberindigo.net
Title: good one   
Name: pranay
Date: 2006-08-14 5:45:43 AM
Comment:
page provided by u is good
show me real example of it or provide realte this to session timeout/abandon?
thnks for this page
Title: how to review before logout?   
Name: Jason Li
Date: 2006-05-08 9:29:33 AM
Comment:
Thank you for your article. However, when user doesn't logout and tries to review the previous webpage, how to do? There is surposed to many secured webpages.
Title: preventing caching in firfox (incl. back button/history)   
Name: AJ
Date: 2006-04-05 12:03:21 PM
Comment:
Dharma - try adding the cache-control: no-store header (adapt to your programming language as necessary i.e. call setHeader(...) etc. whatever you have to do to set http headers in your environment), that works for me in firefox...
Title: ASP   
Name: DAYA
Date: 2006-04-03 1:50:54 AM
Comment:
HI,
I WANT TO KNOW THAT HOW TO SET LOG IN AND LOG OUT TIME IN ASP..
Title: Worked only on IE   
Name: dharma
Date: 2006-03-10 12:33:30 AM
Comment:
Hello, I've tried to use code snippet you provided, but it worked only on IE. I tried on firefox and opera, and after logging out, I could still see previous pages by clicking back button. Any idea to make it work for other browsers?
Title: second page to main.asp still cached   
Name: Emily
Date: 2006-01-16 10:19:46 AM
Comment:
I have three asp pages. The initial page is login.asp, it goes to page hello.asp. And hello.asp goes to page another.asp. If it goes back from hello.asp to login.asp, then in Internet Explorer, clicking on Back, the cache of the page hello.asp has been removed, which is the effect that I want. If it goes back from another.asp to login.asp, and then in Internet Explorer, clicking on Back, the page another.asp still remains. The top of asp codes for hello.asp and another.asp are the same:response.expires=0
response.expiresabsolute=now()-1
response.addheader "pragma","no-cache"
response.addheader "cache-control","private"
response.cachecontrol="no-cache"
session("permission")=true
response.buffer=true
Please tell me how I can let another.asp not being cached in browser. Thanks in advance.
Title: If You're Still Having Problems   
Name: Richard Dudley
Date: 2006-01-04 2:14:57 PM
Comment:
If you follow this article and you can still review pages, be sure to clear your IE's "Temporary Internet Files". You may be viewing pages cached before the no-cache directives were used.

If that still doesn't work, see if your server is configured for GZip compression (http://support.microsoft.com/default.aspx?scid=kb;en-us;321722).
Title: ASP.net   
Name: Ajay Singh
Date: 2005-11-30 5:21:19 AM
Comment:
Hello,
How to redirect the user to requested page after redirecting to accept login infomration.

on successful login, how to redirect him to the requested page automatically.

please mail at asp_net@rediffmail.com
Title: log out   
Name: Richard Dudley
Date: 2005-11-29 12:44:02 PM
Comment:
ehsan,

I'm not exactly sure what you're asking. If you need help, try the forums at http://asp.net. If you ask your question in a forum, more people may be able to help, and more people can read the helpful answers.
Title: log out   
Name: ehsan
Date: 2005-11-29 6:36:56 AM
Comment:
i want to asked u about the user logout and also take time out in asp coding
i can login in asp page to database oracle
but logout +time out does't manage please send m answe
on this address adnan_wahcantt@yahoo.com
Title: Back Button Log Out Solution   
Name: Carolyn
Date: 2005-11-14 4:16:43 PM
Comment:
Hello All. It took a while at finding the right combination, but here is the solution to the Back Button Log Out Problem. In the logout method, call the following two methods:

Session.Abandon();
HttpContext.Current.Response.Redirect("PageDesired.apsx", true);

In the Page Load method, call the following:

HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);

Also, don't forget to set your session variable, and then check it on the page load method after the Cache function. What happens is that calling Session.Abandon forces the browser to try to reload the page when the Back Button is selected. You can then check your variable and b/c the whole session has been abandoned, it is empty and you can redirect to the page you want, just like in Log Out.

But don't forget to set "NoCache". Session Abandon by itself isn't enough.

And Good Luck!
Carolyn :)
Title: NOT WORKING !!   
Name: Nithin Paul
Date: 2005-09-28 9:01:53 AM
Comment:
I tried using the methods descibed above , but to avail no success.
I have been trying to implement Log out functionality in my page and i need to restrict users with no access to pages they have visited once they logout....
Cn anyone please lemme know how this can be done by using the methods descibed.
Title: Thanx 4 the solution   
Name: Praveen.K.Prasad
Date: 2005-08-22 1:06:08 AM
Comment:
It helped me a lot ur gr8 to simlify complex things :-)
Title: I USE THIS INSTEAD   
Name: xujiyong@gmail.com
Date: 2005-08-18 10:48:55 PM
Comment:
Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
Title: Good one   
Name: Kanaiya Parmar
Date: 2005-08-18 9:17:38 PM
Comment:
It's nicely written article. Keep it up.
Title: What's the default   
Name: Brett
Date: 2005-08-18 8:56:04 PM
Comment:
Anybody know if nothing is set, what the default is?
Title: Re: Custom Headers   
Name: Kim
Date: 2005-08-05 3:44:54 PM
Comment:
Hi Richard,

I tried to use it. But it doesn't work. I trying to know a way to add a custom header in asp.net.

Thanks
Title: Custom Headers   
Name: Richard Dudley
Date: 2005-08-05 2:41:30 PM
Comment:
Kim,

Look up Response.Addheaders in the .NET SDK (you can download from www.asp.net), or Google for the same.
Title: Custom http headers   
Name: Kim
Date: 2005-08-04 5:40:57 PM
Comment:
Hi,

Good article. But I have a question.

How can we set and get a custom http headers in asp.net?
Any ideas welcome.

Thanks in advance!
Title: WHy use "Private" when NoStore is supposedly better?   
Name: Richard Dudley
Date: 2005-07-20 9:16:55 AM
Comment:
"No-store" is a value you can use if you are setting the tags in HTML headers, and is used exclusively by the browser. The example you're pointing to is setting the headers in code-behind, and there are some different values you use (follow the links to the documentation). For instance, there isn't a "no-store" option in the code behind; instead, you'd probably use "NoCache" or "ServerAndNoCache". I'm not an ASP Insider, so I don't know 100% for sure, but I would guess the differences are because you can control server caching behavior from your code-behind, and the framework adds a couple of server directives.
Title: Re: Very handy to know - one question though...   
Name: Richard Dudley
Date: 2005-07-20 9:05:51 AM
Comment:
Mike,

This only needs to be included at the page level. By the time the browser receives the output, everything is one single page. There is only a distinction between ASPX and ASCX on the server.
Title: WHy use "Private" when NoStore is supposedly better?   
Name: Mike
Date: 2005-07-19 11:05:20 PM
Comment:
You say No-store is "a better from of Private" but your examples use the Private - can you clarify why this is? ie: is it better to use No-store or Private?

Thanks!
Title: Very handy to know - one question though...   
Name: Mike
Date: 2005-07-19 10:33:01 PM
Comment:
Good article - thanks! We're finding on our asp.net site that the users browsers are often not showing updated content (or showing pages stored in their ISP's proxy servers?) so I hope to use this to remedy this situation.

One question: our site has two main pages (one secure and one not) which load multiple .ascx controls... do I need to add the HttpCachePolicy lines to every control or just to the main pages and stand-alone pages (such as legal agreemnets, contact pages etc)?

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-03-28 5:29:23 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search