Search code examples
asp.net-mvcasp.net-mvc-4browser-cacheback-button

MVC 4 - back button issue after logout

I have read numerous posts where people have had similar issues but have not found a working solution. I have a MVC 4 site, I do not want to remove caching from the entire website as I want to cache the pages. When the user clicks the logoff button it successfully logs off and redirects to the login page, however when the user clicks the back button it shows a previously viewed "restricted page" which you should only be able to see if logged in. I understand that this is because the browser has cached the page client side. I have tried a number of solutions and as mentioned earlier none of them work. Currently my logoff has the following code:

    public ActionResult LogOff()
    {

        FormsAuthentication.SignOut();
        Session.Abandon();
        Session.Clear();

        // clear authentication cookie 
        HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
        cookie1.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie1);

        // clear session cookie (not necessary for your current problem but i would recommend you do it anyway) 
        HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
        cookie2.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie2); 

        // Invalidate the Cache on the Client Side 
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        Response.Cache.SetNoStore();

        Response.AppendHeader("Pragma", "no-cache");

        // send an expired cookie back to the browser 
        var ticketExpiration = DateTime.Now.AddDays(-7);
        var ticket = new FormsAuthenticationTicket(
            1,
            // replace with username if this is the wrong cookie name 
            FormsAuthentication.FormsCookieName,
            DateTime.Now,
            ticketExpiration,
            false,
            String.Empty);
        var cookie = new System.Web.HttpCookie("user")
        {
            Expires = ticketExpiration,
            Value = FormsAuthentication.Encrypt(ticket),
            HttpOnly = true
        };

        Response.Cookies.Add(cookie); 

        return RedirectToAction("Login", "Account");
    }
Solution

  • You could use the hash change event on the browser window, to trigger an ajax request on postback, this would obviously fail as your logged out. From there you could trigger the browser to do anything you like.