how to disable browser's back button after logout

shaky · #1 (**permalink**) 06-18-03, 03:12 AM

Hi!
I'm searching for an expert using the logout function in classic asp language.

i need help on my asp project right now.
hope u can give me some help!

i have already done my login page which will redirect to "check.asp" where i check the username and password and set session("username") = request.form("username"). User then can logout by click logout --> redirect to "logout.asp" which i"ve set session("username")="".

The problem is, when user logout as long as the browser is open you can always hit the browser "back" and "forward" buttons all day long , even to the page they can't visit.

I even try to use Session.Abandon to kill an active session but this seems didn't work too. I've also try to use cookies, but i can still hit the back button!

i also try put this script on my every page to check session
<%
If Session("username") = "" then
Response.Redirect("notallow.asp")
End If
%>

and try to use this header:-

<%Response.CacheControl = "no-cache"%>

in every page except on some pages containing forms, but the problem is still there.I can still hit the back button after logout,
except if i click the "refresh" button, then only it will redirect to "notalllow.asp"

for your info, i'm currently using ie 6 as my browser.

Please help me!
Urgent!

Thank you.

shaky512@hotmail.com

Ryan · #2 (**permalink**) 06-18-03, 03:21 AM

Moved to appropriate forum.

shaky · #3 (**permalink**) 06-18-03, 03:26 AM

what do you mean? which forum should i join?

Stealth · #4 (**permalink**) 06-18-03, 10:12 AM

forums have categories.

post in the category most relevant to what your asking, not the most irrelevant

Shane · #5 (**permalink**) 06-18-03, 10:15 AM

You can't disable the browsers back button. There are no events associated with it.

http://groups.google.com/groups?hl=e...com%26rnum%3D8

Stealth · #6 (**permalink**) 06-18-03, 10:15 AM

Try adding this to the top of your page

Code:

Response.expiresabsolute=now() -1

or you could try

Code:

<meta http-equiv="PRAGMA" value="NO-CACHE">
<meta http-equiv="Expires" content="Mon, 01 Jan 1990 12:00:00 GMT">

or finally, one i found on the net but havnt tried is

Code:

Response.CacheControl = "no-store"
Response.AddHeader "Pragma", "no-cache" 
Response.Expires = -1

im sure Response.CacheControl = "no-cache" prevents cacheing on server but i may be wrong

Gurrutello · #7 (**permalink**) 06-20-03, 09:03 PM

hello
its allmost impossible to disble the back button ( only in pop ups with out navigation bar, and dissable right button click)
but if you use in each password protected page
<%
If Session("username") = "" then
Response.Redirect("notallow.asp")
End If
%>

or
<%
If request.cookies("username") = "" then
Response.Redirect("notallow.asp")
End If
%>
this could be ok.
maybe user can go back but they can't do anything
saludos

khnle · #8 (**permalink**) 08-18-06, 08:37 AM

I faced this problem many times in the past, and I think I finally found the solution. Unfortunately, since I have only been required to work in the Java environment, my solutions are only presented in a Java-centric way. This is not to say that the problem and solution are only tied to a particular technology. I just have not done a sample is ASP.NET or PHP. My goals are eventually to do them.

Anyway, for now, you can catch an article that I wrote:

http://www.javaworld.com/javaworld/j...27-logout.html

Since then, I found out an even "better" way of doing it, and you can check out the demo here:

http://pragmaticobjects.org/properLogoutDemo/
https://pragmaticobjects.com/properLogoutDemo/

So as you can see, there is a solution, and it works for both http and https (one code base). In both cases, the back button is not disabled as in your requirements. However, the back button has been "neutralized" or made ineffective.

I will post a more ASP.NET centric solution.

Kevin H. Le
http://pragmaticobjects.org