FormsAuthentication client-side problem

[Marcio Kleemann]

I'm using FormsAuthentication to secure access to a web site. The
authentication process works correctly initially. The pages on the site have
a "logout" button, which basically call FormsAuthentication.SignOut() and
redirect the user to the login page.

The problem is that after the user logs out, if they were to use their
browser's "Back" button (or even enter the url to the page directly on the
browser), they are allowed into that page. This is probably because the
browser is simply re-rendering the page without going back to the server
(I've verified that it does not go back to the server by placing a
breakpoint on page_load). Interestingly enough, if you enter a url for a
page on that web site that was not navigated to while the user had been
authenticated, then it correctly kicks them to the login page. But any page
that was visited during the authenticated session continues to be available
on that browser even after SignOut.

Since this needs to be solved on the client side, I'm trying to implement
something using the client's onload event, which is raised every time the
browser renders the page (whether through Back button, etc). But the problem
is that with client-side scripting like javascript or vbscript I don't have
access to session variables and such - which I could otherwise use to
indicate that the user is no longer authenticated. So I'm at a loss as to
how to handle this.

If someone has dealt with this before, I'd much appreciate pointing me in
the right direction.

Thanks

[Wes Henderson]

Marcio,

Try this in your Page_Load:

Response.Cache.SetCacheability(HttpCacheability.No Cache);

--
Regards,
Wes Henderson

In order to help everyone, please direct all replies to this newsgroup.
This posting is my personal effort to provide help and is not on behalf of
any company.
Also, this posting is provided "AS IS" with no expressed or implied
warranties.

"Marcio Kleemann" <notavailable> wrote in message
news:%23lcWvF3QEHA.624@TK2MSFTNGP11.phx.gbl...

> I'm using FormsAuthentication to secure access to a web site. The
> authentication process works correctly initially. The pages on the site

have

> a "logout" button, which basically call FormsAuthentication.SignOut() and
> redirect the user to the login page.
>
> The problem is that after the user logs out, if they were to use their
> browser's "Back" button (or even enter the url to the page directly on the
> browser), they are allowed into that page. This is probably because the
> browser is simply re-rendering the page without going back to the server
> (I've verified that it does not go back to the server by placing a
> breakpoint on page_load). Interestingly enough, if you enter a url for a
> page on that web site that was not navigated to while the user had been
> authenticated, then it correctly kicks them to the login page. But any

page

> that was visited during the authenticated session continues to be

available

> on that browser even after SignOut.
>
> Since this needs to be solved on the client side, I'm trying to implement
> something using the client's onload event, which is raised every time the
> browser renders the page (whether through Back button, etc). But the

problem

> is that with client-side scripting like javascript or vbscript I don't

have

> access to session variables and such - which I could otherwise use to
> indicate that the user is no longer authenticated. So I'm at a loss as to
> how to handle this.
>
> If someone has dealt with this before, I'd much appreciate pointing me in
> the right direction.
>
> Thanks
>
>

[Marcio Kleemann]

That did it - thanks!

"Wes Henderson" <wes1024@hotmail.com.nospam> wrote in message
news:%236cKE35QEHA.3748@TK2MSFTNGP09.phx.gbl...

> Marcio,
>
> Try this in your Page_Load:
>
> Response.Cache.SetCacheability(HttpCacheability.No Cache);
>
> --
> Regards,
> Wes Henderson
>
> In order to help everyone, please direct all replies to this newsgroup.
> This posting is my personal effort to provide help and is not on behalf of
> any company.
> Also, this posting is provided "AS IS" with no expressed or implied
> warranties.
>
> "Marcio Kleemann" <notavailable> wrote in message
> news:%23lcWvF3QEHA.624@TK2MSFTNGP11.phx.gbl...

> > I'm using FormsAuthentication to secure access to a web site. The
> > authentication process works correctly initially. The pages on the site

> have

> > a "logout" button, which basically call FormsAuthentication.SignOut()

and

> > redirect the user to the login page.
> >
> > The problem is that after the user logs out, if they were to use their
> > browser's "Back" button (or even enter the url to the page directly on

the

> > browser), they are allowed into that page. This is probably because the
> > browser is simply re-rendering the page without going back to the server
> > (I've verified that it does not go back to the server by placing a
> > breakpoint on page_load). Interestingly enough, if you enter a url for a
> > page on that web site that was not navigated to while the user had been
> > authenticated, then it correctly kicks them to the login page. But any

> page

> > that was visited during the authenticated session continues to be

> available

> > on that browser even after SignOut.
> >
> > Since this needs to be solved on the client side, I'm trying to

implement

> > something using the client's onload event, which is raised every time

the

> > browser renders the page (whether through Back button, etc). But the

> problem

> > is that with client-side scripting like javascript or vbscript I don't

> have

> > access to session variables and such - which I could otherwise use to
> > indicate that the user is no longer authenticated. So I'm at a loss as

to

> > how to handle this.
> >
> > If someone has dealt with this before, I'd much appreciate pointing me

in

> > the right direction.
> >
> > Thanks
> >
> >

>
>