问题
I am currently working on MVC3 website with user authentication.
I have this security issue whereby I want to prevent user from relogin back with pressing back button after successfully log out from the page.
I had research many solutions, however I do not understand how to apply it into my project. Any possible to do it in MVC3?
回答1:
You are not re-logging, you are only viewing page from browser cache. If you try to debug, you will see that no code is executed on back button on browser. If you try to click something after logging out and pressing back, you will be redirected to login page(if you left default mvc3 app behavior).
There are several solutions, and this is my take:
You can make custom ActionFilterAttribute, to prevent caching on controllers, or/and actions like this, then simply apply it to action/controller:
public class NoClientCache : ActionFilterAttribute { public override void OnResultExecuting(ResultExecutingContext filterContext) { filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1)); filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false); filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches); filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.ServerAndNoCache); filterContext.HttpContext.Response.Cache.SetNoStore(); base.OnResultExecuting(filterContext); } }You can force refresh after logout is executed by triggering browser client-side
history.go(1);
Added: If you are logging out from single location, you should go with first approach, but if your logout button is on layout page, it would be bad to disable caching on all pages, so 2nd approach seems the way to go.
回答2:
The problem with John's solution is that Caching is actually quite useful, and you probably don't want to remove this functionality from your app.
An easy way to fix this problem is to force your output html page to refresh itself if the user logs out. This could be accomplished by using JavaScript to send an ajax request back to your server at the beginning of the request, and validate that the user is still logged in. If the user has logged out, simply do a client-side redirect to the same page. This should effectively resolve your issue.
回答3:
When a user clicks the back button the browser is simply re-displaying a cached page.
If you want the browser to not cache pages and prevent this from happening you have to instruct it as such with an HTTP Response Header.
You need to run the below code along with every HTTP response that you don't want cached:
HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache");
HttpContext.Current.Response.AddHeader("Cache-Control", "private"); //to be safe cross browser
If you include this code in a custom base controller (below) you can avoid code duplication across the site:
public class CustomBaseController : Controller
{
protected override void OnResultExecuting(ResultExecutingContext context)
{
HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache");
HttpContext.Current.Response.AddHeader("Cache-Control", "private"); //to be safe cross browser
}
}
If you use the above approach just make sure to have all your controllers inherit from "CustomBaseController" when you don't want them to allow a user to view cached pages with the back button
来源:https://stackoverflow.com/questions/10908565/possible-way-to-make-the-page-session-expired-in-asp-mvc-3-press-back-button