Skip to main content

Disabling cache of aspx pages in asp.net application

Disable Back Button of a browser to denied to access previously opened page by other user.

here I am posting from another resource if we come across the same problem....


When i was doing coding for sign in and sign out for my clients application, i found that after signing out from the application i transferred the control to login page e.g. login.aspx. At this point if i click the Back button of Browser it shows the content of previous page user was viewing.
    As there was important data displayed on page it is security threat.

It is a threat for web applications displaying important information like credit card numbers  or bank account details.
  I tried to find the solution on net but could not get satisfactory answer.
On searching i found following problem, and i think it is important to share this issue-



What happens when Back Button clicked


When we visit a page it is stored in a cache i.e. history on a local machine. Whenever user clicks the Back button, previous page is taken from this cache and displayed; request does not go to the server to check the login information as page is found on local cache. If we submit the page or refresh the page then only page is sent to the server side.

Caching-


Caching of Web Pages can happen in three separate entities in a Web environment.
  1. When you think about caching, you usually think about the Web pages cached locally in your temporary Internet files of the profile that was used to log into local machine as a result of having visited the page.
  2.  But caching can also occur within the Internet Information Server (IIS) Server, and
  3. If a proxy server is present, it can be configured to cache the pages.

Solution-
To avoid the displaying of page on click of back button we have to remove it from cache, or have to tell the server not to cache this page.
So if we do not cache the page then on click of back button request goes to server side and validation can be done whether session exist's or not.
This can be achieved by adding following code in the page load of the page for which we do not want to cache the page in history.

Response.Buffer="
COLOR: blue">true;</o:p> Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d); Response.Expires =-1500; Response.CacheControl = "no-cache"; if(Session["SessionId"] == null) { Response.Redirect ("WdetLogin.aspx"); } }

Code in Detail-   

Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);
 In this instead of giving the current date we gave the date in the past so it confirms the expiration of page. So that allowing for time differences, rather than specify a static date. If your page is being viewed by a browser in a very different time-zone.
Response.Expires = -1500;     
 Some IIS internals experts revealed this can be a very touchy parameter to rely upon and usually requires a rather"large" negative number or pedantically, that would be a very small number.

Response.CacheControl = "no-cache";
 It tells the browser not to cache the page.
Things can work with only one line of code
i.e.     Response.CacheControl = "no-cache";
But it is good practice to delete the existing page from cache.
This code will tell the server not to cache this page, due to this when user clicks the Back button browser will not find the page in cache and then will go to server side to get the page.

Disabling cache can also be done by adding following line in Meta section of page

 Proxy Server Caching- 

Response.CacheControl = "private";
           It disables the proxy server caching and page is cached on local machine.
Response.CacheControl = "public";
           Proxy server cache is enabled.
Users request pages from a local server instead of direct from the source.
So if the information displayed is critical information extra care should be taken to remove the page from cache on sign out.
Hence for such applications keeping pages non caching is good solution.


 Another code for same...............
<%
'FROM MIND Magazine,
'September 1999 issue
'GeekToGeek column by
'Robert Hess
'Below must be place before HTML tag

'and everything else on page
response.expires = -1
response.AddHeader "Pragma", "no-cache"
response.AddHeader "cache-control", "no-store" %>


My Web Page
<%'To Test code:
'Load the page, go to
'a different page,
'then click back. You'll
'see the time change (i.e.,
'page not being loaded from
'cache)
'This prevents pages from being cached,
'but not images on page. 

response.write now() %&gt;

This example explains how to Disable Browser Back Button Using Javascript In ASP.NET. to avoid user going to previous page by clicking on back button of browser, for this we need to use javascript to prevent user navigating to previous page by hitting back button.

Just put this javascript on the html section of aspx page above head section


<script type = "text/javascript" >
function disableBackButton()
{
window.history.forward();
}
setTimeout("disableBackButton()", 0);
</script>


We need to put it on the html section of the page which we want to prevent user to visit by hitting the back button

Complete code of the page looks like this
<%@ Page Language="C#" AutoEventWireup="true"
CodeFile="Default.aspx.cs" Inherits="_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
<script type = "text/javascript" >
function disableBackButton()
{
window.history.forward();
}
setTimeout("disableBackButton()", 0);
</script>
</head>
<body onload="disableBackButton()">
<form id="form1" runat="server">
<div>
This is First page <br />
<br />
Go to Second page
<br />
<br />
<asp:LinkButton ID="LinkButton1" runat="server"
PostBackUrl="~/Default2.aspx">Go to Second Page
</asp:LinkButton></div>
</form>
</body>
</html>

If you are using firefox then use <body onunload="disableBackButton()"> instead of onload

If you want to disable back button using code behind of aspx page,than you need to write below mentioned code

C# code behind 
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
string strDisAbleBackButton;
strDisAbleBackButton = "";
ClientScript.RegisterClientScriptBlock(this.Page.GetType(), "clientScript", strDisAbleBackButton);
}

We can also achieve this by disabling browser caching or cache by writing this line of code either in Page_load event or in Page_Init event

protected void Page_Init(object Sender, EventArgs e)
{
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.Now.AddSeconds(-1));
Response.Cache.SetNoStore();
}
Doing this,user will get the page has expired message when hitting back button of browser



Comments

Post a Comment

Popular posts from this blog

Creating package in Oracle Database using Toad For Oracle

What are Packages in Oracle Database A package is  a group   of procedures, functions,  variables   and  SQL statements   created as a single unit. It is used to store together related objects. A package has two parts, Package  Specification  and Package Body.
Read more

Resolving 'Setup Account Privileges' error while installing SQL Server

A new installation of Microsoft SQL Server 2012 or Microsoft SQL Server 2008 R2 fails You see the following error message when you try to install a new instance of SQL Server 2012 or SQL Server 2008 R2: Rule "Setup account privileges" failed.
Read more

Creating Oracle stored Procedures using TOAD for Oracle

In a database management system, a  stored procedure  is a set of Structured Query Language (SQL) statements with an assigned name that's stored in the database in compiled form so that it can be shared by a number of programs. The use of  stored procedures  can be helpful in controlling  access to data, preserving  data integrity  and  improving  productivity.
Read more