Project Context
Client requires that the users of the site (when logged in and are able to view their personal information) be forced to be logged out if they try to navigate using the browser’s navigation buttons.
My Research
Searching around on SO seems to indicate that most of the problems people have is to "stop" people from hitting the browser’s back button when they’re logged out, like this and this. The difference is that I need to "stop" the users from navigating backwards in history (and even forward as well, though I don’t see how the users can go forward in history if they can’t go back in the first place) even when they are logged in, making it compulsory that they use the provided navigation.
The Solution I Have In Mind
I’m thinking of capturing the browser’s event when a user hits the back button and logging them out then. However, as discussed here it seems like you can only "do it" using Javascript and not using server-side code. My qualm with this approach is that users can bypass it merely by disabling Javascript on their browsers.
My Question
So my question is – Is there a way I can capture the browser event on the server-side and log them out there? If not, what are the alternatives to achieving my objective?
I’d say that your best option is tracking the session.
You make the client send you the timestamp of when the request was processed by your server, or even simpler: a user dependent counter (which you send each time to the client), and server-side keep track of the last timestamp/counter sent.
If the user clicks the back button, he will send you an old timestamp/counter instead of the last current one, and you can then log him out server side.
This should do the trick.
In order to make sure the trick is done and making it javascript independent, I’d say you could place this value in a hidden parameter, or maybe as a hidden field form, so the user doesn’t see it but it always gets sent to your server.
I hope this helps!