Generally when any user logs into any web application, we store some value in session. The session continues the user existence until logout. After logout, we clear/abandon the session and redirect to login page. In that state, the user is out of website and the secret information is now secure or nobody is authorized to view/access the information.
But the problem is now, from this redirect login page if user clicks the back button of browser, it again goes to the previous visited page although the page is already logged out. The main reason is the browser’s cache. This is because while user logs out the session, the session is abandoned in the server side.
But after clicking the back button of the browser, the previous page is not postback, the client side just opens from cache. It only works if the back page refreshes/reloads, because in that period the page becomes postback.
The common problem has many solutions but each and every solution has some limitations. Let’s see the existing solutions that we can find easily in searching.
Existing Solution 1: Clear Cache/No-Cache
// Code disables caching by browser. Hence the back browser button
// grayed out and could not causes the Page_Load event to fire
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
Response.Cache.SetNoStore();
Limitations
- Server Side code and for that it does not work without postback.
- I have to clear my cache by force (I don’t want to clear my cache).
Existing Solution 2: Use Meta Tag for No-Cache
<meta Http-Equiv="Cache-Control" Content="no-cache">
<meta Http-Equiv="Pragma" Content="no-cache">
<meta Http-Equiv="Expires" Content="0">
Limitations
- This is not possible because Back history is maintained by browser, you will need to close the window.
- I have to clear my cache by force (I don’t want to clear my cache).
Existing Solution 3: Clears Browser History and Redirects URL
//clears browser history and redirects url
<SCRIPT LANGUAGE="javascript">
{
var Backlen=history.length;
history.go(-Backlen);
window.location.href=page url
}
</SCRIPT>
Limitations
- Same limitation like solution 1: Does not work in all browsers, moreover I have to clear my history although I don't want to do this.
Existing Solution 4: Call JavaScript from Server Side to Clear Cache
Page.ClientScript.RegisterStartupScript(this.GetType(),"cle","windows.history.clear",true);
Limitation
- Server side code, so it does not work without postback again. Moreover I have to clear my history although I don't want to do this.
Alternative Solution
From the above explanation, we can understand that when the user clicks on back button of browser, the client side loads only. Even no postback happens in that period. For that, I handle the problem on the client side. You can think that if we check the session value in client side with JavaScript, then the problem will solve? My answer is: NO. Because when we clear/abandon the session value, its value changed only server side but the value which has already taken with JavaScript variable, it stores on cache as well.
The only one solution is if we can check the server session value from client side on loading moment, then we can overcome this issue.
Analysis of Code
Login Page: Login process is very common like I store a
session
value while login is successful.protected void btnSave_Click(object sender, EventArgs e)
{
// User Name and Password Check here
//After successful login store a session value
Session["user"] = "user:Desme-BD";
Response.Redirect("/frmContentHome.aspx", true);
}
I have stored "
user:Desme-BD
" in session
"user
".
Master Page(Server Side): In content page, I have checked the
session
value or Redirect the page to Login page.// this is simple method only checking the session value while user login
private void CheckLogin()
{
string domain = Request.Url.Authority.ToString();
BaseURL = "http://" + domain + "/";
//Load menu or Do Any database related work
if (Session["user"] != null)
{
lnkLogin.Text = "Logout";
lnkLogin.PostBackUrl = BaseURL + "frmLogout.aspx";
}
else
{
Response.Redirect(BaseURL + "frmLogin.aspx", false);
}
}
Logout Page: I also clean the
session
value while logout with those common methods.Session.Abandon();
Session.Clear();
Session.RemoveAll();
System.Web.Security.FormsAuthentication.SignOut();
Response.Redirect("frmLogin.aspx", false);<span style="font-size: 9pt;"> </span>
The Method which Checks Server's Session with Client Side
Master Page(Client Side)
On ASPX page, I use the Jquery with JSON and check the
Session
value with LogoutCheck() WebMethod
.<script type="text/javascript">
$(document).ready(function () {
CheckingSeassion();
});
function CheckingSeassion() {
$.ajax({
type: "POST",
url: "frmLogout.aspx/LogoutCheck",
data: "{}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function (response) {
if (response.d == 0) {
window.location = '<%= BaseURL %>' + "frmLogin.aspx";
}
},
failure: function (msg) {
alert(msg);
}
});
}
</script>
The
LogoutCheck() WebMethod
checks the session
value from application server on client side loading moment.
I created this method on frmLogout.aspx page like this:
[WebMethod]
public static int LogoutCheck()
{
if (HttpContext.Current.Session["user"] == null)
{
return 0;
}
return 1;
}
Now, when user logs out the page, it redirects to logout page and clears and abandons the session values. Now when user clicks back button of browser, the client side only loads and in that period the
CheckingSession() WebMethod
fires in JQuery and it checks the session value LogoutCheck() WebMethod
. As the session is null
, the method returns zero and the page redirects again in login page. So, I don't have to clear the cache or clear any history of user's browser.
Download the solution-> browse frmLogin.aspx -> give any password and Login-> now Logout-> click back button on your browser and notice.
Advantages
- Works on client side page load. No need to postback because it's calling with Ajax.
- No need to remove cache/history
- No need to disable back button of web browser
No comments:
Post a Comment