Disable Secure Page Cache
5.00/5 (4 votes)
This tip will address the issue of expiring the page when browser buttons are used for navigation of application.
Introduction
Why do we need to expire the web page when browser back/forward button is clicked? It is one of the security concerns that if any user using any public shared computer left the browsed page open, the bad guy can sneak peak in to your information by using browser back/forward buttons.
Using the Code
Part 1
First of all, add the following response properties in your Page_Load function and don't put this code in if(!IsPostback) code block in Page_Load function. See sample code as below:
protected void Page_Load(object sender, System.EventArgs e)
{
if (!Page.IsPostBack)
{
// you Logic here
}
Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);
Page.Response.Cache.SetNoStore();
Page.Response.Cache.AppendCacheExtension("no-cache");
Page.Response.Expires = 0;
}
If there is any action or postback, then the below mentioned lines will work and expire the page.
Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);
Page.Response.Cache.SetNoStore();
Page.Response.Cache.AppendCacheExtension("no-cache");
Page.Response.Expires = 0;
Part 2
Now to add your own logic to cater to pages where we don't have any postback.
Add the following code in your Page_Load function if(!IsPostBack) check as below:
We have taken one Session variable "TimeStamp" and one ViewState variable "TimeStamp".
When the web page is loaded with any navigation link inside the application, we have Session["TimeStamp"] and ViewState["TimeStamp"] variable value "null" and that means browser buttons are not clicked and we don't have to expire the Page.
Whenever the user clicks the browser back/forward button, the ViewState will become null for that page and Session will contain the "TimeStamp" so we infer that browser button is clicked and we need to expire the page and redirect it to a page. In our case, we redirect to WebPageExpire.aspx.
protected void Page_Load(object sender, System.EventArgs e)
{
if (!Page.IsPostBack)
{
// you Logic here
if (isPageExpired())
{
Response.Redirect("WebPageExpire.aspx");
}
else
{
string strNow = DateTime.Now.ToString();
Session["TimeStamp"] = strNow;
ViewState["TimeStamp"] = strNow;
}
}
Page.Response.Cache.SetCacheability(HttpCacheability.NoCache);
Page.Response.Cache.SetNoStore();
Page.Response.Cache.AppendCacheExtension("no-cache");
Page.Response.Expires = 0;
}
Now, add the function isPageExpired() which compares the Session ["TimeStamp"] and ViewState["TimeStamp"].
private bool isPageExpired()
{
if (Session["TimeStamp"] == ViewState["TimeStamp"])
return false;
else
return true;
}
One more thing from wherever you are navigating either asp:Button, asp:Link, etc., we have to initialize the Session["TimeStamp"]= null so that every time when we navigate legitimately, our Session and Viewstate have the same value.
protected void BtnRegister_ServerClick(object sender, System.Web.UI.ImageClickEventArgs e)
{
Session["TimeStamp"] = null;
Response.Redirect("Register.aspx", false);
}
We have to add the same logic in every page where we need secure cache disable functionality plus you have to design a page. In my case, I have designed the page WebPageExpire.aspx and show message to user:
WebPage has expired please login again.
I hope this will solve the problem and I am looking forward to hearing from you guys.