How to prevent user from going back to the login-page after successful login using back button

Question

I am working on an MVC3 application and is stuck with a login security issue. The scenario is when a user logs-in with his/her username and password, if correct, he/she will

Answer 1

you need to expire cache and headers, here is what i use:

  <% HttpContext.Current.Response.Cache.SetAllowResponseInBrowserHistory(false);
   HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
   HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
   HttpContext.Current.Response.Cache.SetValidUntilExpires(false);
   HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
   HttpContext.Current.Response.Cache.SetNoStore();
   Response.Cache.SetExpires(DateTime.Now);
   System.Web.HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
   Response.Cache.SetValidUntilExpires(true);
   Response.Buffer = true;
   Response.ExpiresAbsolute = DateTime.Now.Subtract(new TimeSpan(1, 0, 0, 0));
   Response.Expires = 0;
   Response.CacheControl = "no-cache";
   Response.Cache.SetExpires(DateTime.UtcNow.AddYears(-4)); 
   Response.ExpiresAbsolute = DateTime.Now.Subtract(new TimeSpan(1, 0, 0, 0));
   Response.AppendHeader("Pragma", "no-cache");
   Response.Cache.AppendCacheExtension("must-revalidate, proxy-revalidate, post-check=0, pre-check=0");
%>  
<script language="javascript" type="text/javascript">
    window.onbeforeunload = function () {
        // This function does nothing.  It won't spawn a confirmation dialog   
        // But it will ensure that the page is not cached by the browser.
    }  
</script>

Add this in page head and the next time user try to go back it will request new page load.

Answer 2

You can use javascript that checks for cookie you'll give after successfull login. the js will check it onpage load and redirect to non-login page if the cookie exists. there are also other methods to do that as desctibed in: here