Wednesday, August 27, 2008

Browser Back Button Security

Sometimes, we have to work for secured project where even  browser cache can be a problematic things. Normally in ASP.Net web application, every page is cached by the web browser. So, anybody can thief potential information from the web pages using back button if the user forget to close the browser after sign-out. Sometimes its create a embarrassing situation. But we can kill the cache on the spot easily by adding the following two lines in every page’s PageLoad event which will disable the browser back button functionality in ASP.Net application :

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetAllowResponseInBrowserHistory(false);

The above two line is enough to say the browser not to cache the page. However, you can also add the following three line for better performance

Response.CacheControl = "NO-CACHE";
Response.AddHeader("Pragma", "no-cache");
Response.Expires = -1;

which is the equivalent of the following meta tag

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">

Also don’t forget to set authorization in configuration file. So that application will force the user to login page:


<location path="admin">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

Enjoy Programming!

1 comment:

Robin Thomas said...

I don't see any need for the following lines for achieving this
Response.CacheControl = "NO-CACHE";
Response.AddHeader("Pragma", "no-cache");
Response.Expires = -1;

The following post describes some javascript method for doing the same task.

http://www.robinthomas.in/dotnet/restrict-user-go-back-to-previous-page-after-signout/