Home/ Questions/Q 6946931
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T13:37:42+00:00

Currently working on an ASP.NET MVC 3.0 application and using FormsAuthentication . When the

  • 0

Currently working on an ASP.NET MVC 3.0 application and using FormsAuthentication.

When the user clicks the Logoff link, it calls the following:

public ActionResult LogOff()
{
    FormsAuthentication.SignOut();
    return RedirectToAction("Index", "Home");
}

Works great!

But if the user clicks the BACK button, he gets to see his previous page (although he won’t be able to do anything since the [Authorize] attribute is set) and we didn’t want that.

After many searches and posts regarding this subject, I ended up creating a custom ActionFilter called [NoCache] which is placed right underneath each [Authorize] attribute I have.

The [NoCache] attribute looks like this:

public class NoCacheAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
        HttpContext.Current.Response.Cache.SetValidUntilExpires(false);
        HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
        HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
        HttpContext.Current.Response.Cache.SetNoStore(); 
    }
}

It seems to work but I’m curious to know if this seems like the appropriate approach to use (or not). Are there any known issues I’m not aware of in using this technique?

In addition, I’ve been told that if I had an SSL Certificate then I wouldn’t need to do this but instead, create and set an HTTP Header with Cache-Control: no-cache which would, ultimately, make all my https pages not cached.

Can anyone confirm this?
If the above is true, then why would I create a custom ActionFilter?

Feel free to share any thoughts or better approaches…

Keep in mind, the ultimate goal is to make sure a user does not see his previous page(s) when clicking the BACK button after he’s been signed off (FormsAuthentication.SignOut();)

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Conclusion:

    I’ve decided to close this post with the following conclusion…

    The PRG Model suggestion (and link) provided by Shawn is great and indeed should be practiced while developing MVC applications.

    The pattern makes sure users who hit refresh (F5) are not re-submitting the form/data again. So it is a question of making proper redirect after a form submission.

    As for my issue, I wanted to show the login page to the users that did try and hit the back button only after they’ve signed off (After FormsAuthentication.SignOut).

    The behavior I am looking for is the same as when you logoff a banking web site. You are free to hit the back button but they will display a message letting you know that your session has expired (which in turn, you are forced to login again.)

    I haven’t found (or worked on) a solution yet but the custom NoCache Attribute seems to be the way to go.

    Once in production, I will have an SSL certificate applied to the protected pages and perhaps, when we get there, I might find a different way to achieve my task without the use of the NoCache Attribute.

    When and if I do, I will share my findings.

    Thanks

    • 0