Expire Web Page on Browser Back/Forward Button click
Why we need to expire the web page when browser back/forward button
is clicked. It is one of the security concern that if any user using any
public shared computer and left the browsed page open the bad guy
can sneak peak in to your information by using browser back/ forward buttons.
There are lot of solution available but the solution is little tricky lets start
Part 1
First of all add following response properties in you Page_Load function
and don't put this code in if(!IsPostback) code block in Page_Load function
see sample code as below
protected void Page_Load(object sender, System.EventArgs e)
{
if (!Page.IsPostBack)
{
// you Logic here
}
Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);
Page.Response.Cache.SetNoStore();
Page.Response.Cache.AppendCacheExtension("no-cache");
Page.Response.Expires = 0;
}
If there is any action or postback then the below mentioned lines will work and expire the page
Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);
Page.Response.Cache.SetNoStore();
Page.Response.Cache.AppendCacheExtension("no-cache");
Page.Response.Expires = 0;
Part 2
Now to add your own logic to cater pages where we don't have any postback.
Add the following code in you Page_Load function if(!IsPostBack) check
as below
We have taken one Session variable "TimeStamp" and one ViewState variable "TimeStamp".
when the web page is loaded with any navigation link inside the application we have Session["TimeStamp"] and ViewState["TimeStamp"] variable value "null" and that means browser buttons are not clicked and we don't have to expire the Page.
Whenever the user click the browser back/forward button the ViewState will become null for that page and Session will contain the "TimeStamp" so we infer that browser button is clicked and we need to expire the page and redirect it to a page in our case we redirect to WebPageExpire.aspx .
protected void Page_Load(object sender, System.EventArgs e)
{
if (!Page.IsPostBack)
{
// you Logic here
if (isPageExpired())
{
Response.Redirect("WebPageExpire.aspx");
}
else
{
string strNow = DateTime.Now.ToString();
Session["TimeStamp"] = strNow;
ViewState["TimeStamp"] = strNow;
}
}
Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);
Page.Response.Cache.SetNoStore();
Page.Response.Cache.AppendCacheExtension("no-cache");
Page.Response.Expires = 0;
}
Now add the function isPageExpired() which compares the Session["TimeStamp"] and ViewState["TimeStamp"].
private bool isPageExpired()
{
if (Session["TimeStamp"] == ViewState["TimeStamp"])
return false;
else
return true;
}
One more thing from where ever you are navigating either asp:Button , asp:Link etc
we have to initialize the Session["TimeStamp"]= null so that every time when we navigate legitimately our Session and Viewstate have same value.
protected void BtnRegister_ServerClick(object sender, System.Web.UI.ImageClickEventArgs e)
{
Session["TimeStamp"] = null;
Response.Redirect("Register.aspx", false);
}
The same logic we have to add in every page where we need secure cache disable functionality plus you have to design a page in my case i have designed the page WebPageExpire.aspx and show message to user WebPage has expired please login again.
I hope this will solve the problem and looking forward to hear from you guys.