Joerg Jooss
2/13/2006 8:38:00 PM
Thus wrote Paul,
> I'm using forms authentication in .NET 2.0.
> When the user logs out I do the following...
> Session.Abandon();
> FormsAuthentication.SignOut();
> I also have the following called in the Page_Load event of every
> secured page...
>
> Response.Cache.SetExpires(DateTime.Now);
> Response.Cache.SetSlidingExpiration(true);
> Response.Cache.SetCacheability(HttpCacheability.NoCache);
Note that the latter call overrides the Expires header with -1.
> The problem is that in IE, the cache is cleared (you can't hit the
> back button after logging out to see secured content.)
>
> HOWEVER, in Firefox (v1.5.0.1) when I hit the back button I am
> presented with the secured content. Is there a way to clear/prevent
> the storage of cache on ANY webbrowser?
Browsers don't need to honor HTTP caching instructions when using navigation
controls like "Back" or "History". Many implementations do though, at least
to some extent. It seems Firefox is pretty faithful in implementing the intended
behaviour as per RFC 2616.
Don't forget that even if you see a cached version of a page that looks like
the user was still logged on, he or she isn't. Any action on the page that
requires a valid session will cause a redirect to the logon page.
Cheers,
--
Joerg Jooss
news-reply@joergjooss.de