3

I have tried numerous ways to prevent the user from visiting pages they shouldn't be seeing after a successful login and logout. After logging in, the user can click back and visit the login page while still being logged in. After signing out, they can click back and visit every page (despite there being an [Authorize] attribute on the controller relevant in this case. After signing out, when they click back and, for example, land on the home page, it will still display the user's name. (eg. "Welcome, [name]")

I have tried adding [ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)] to my controller(s), as well as adding a "custom cache filter" to my project I got from here

I'm stumped as to how to do this properly in Asp.net core Identity. Looking through the inspect element option, under the Application tab, there is never anything in cache or application storage. (Not sure if that is relevant at all, if i'm going to be honest.)

EDIT: I've tried putting: 

    <meta http-equiv="cache-control" content="max-age=0" />
    <meta http-equiv="cache-control" content="no-cache" />
    <meta http-equiv="expires" content="0" />
    <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
    <meta http-equiv="pragma" content="no-cache" />

in the head of my _Layout.cshtml page, combined with the ResponseCache Attribute on my controllers and still no luck.

Ouchh
  • 33
  • 8
  • That highly depends on how the browsers handles the page caching. The browser can, regardless of what you do, show the previous page just as it was before. Anyway, have you tried this? https://stackoverflow.com/a/1341133/2321042 (Check the comments) – Andrew Aug 24 '17 at 23:48
  • @Andrew thanks, I'll check that out! – Ouchh Aug 25 '17 at 07:09
  • @Andrew just tried it out, and it did not work. There are many solutions that work for MVC and whatnot, but when it comes to core, there's not many. Well I mean, the one I posted in my question, but that didn't work either for some reason. – Ouchh Aug 25 '17 at 11:52
  • The solution is more browser related than server related. You must tell the browser not to cache the pages first of all. If the browser caches when clicking on back, the server is not even contacted, so there's nothing you could do at that point. You need to add those meta tags in the header of the page so tell the browser how to behave. If any of those didn't help, I'm out of ideas, but there must be a way! – Andrew Aug 25 '17 at 16:17
  • @Andrew I'll just have to keep looking. I've always used the Javascript way to do it, but people can have it disabled/can disable it. Thank you for helping either way, I appreciate it! – Ouchh Aug 25 '17 at 18:58

0 Answers0