mark123 mark123 - 1 month ago 5
ASP.NET (C#) Question

Using the browser's back button after SignOut() allows access to secure page (ASP.NET MVC)

I have an MVC app that uses [Authorize] to protect the private bits. When I select the SignOut() URL it signs me out but if I hit the back button on my browser the it goes to the secure page and even lets me use the form. The action takes place and then it shows that I'm signed out. The problem is that it performs the secured action (inserting a row into my database). Then I can use the back button again and do it all over. If I use the back button after logging out and hit the browser refresh it does show I'm logged out and refuses me access to the secure page.

Am I missing something important? It seems like it could be a really big security issue.

public ActionResult LogOff(string ReturnUrl)
{

FormsAuth.SignOut();

if (!String.IsNullOrEmpty(ReturnUrl))
{
return Redirect(ReturnUrl);
}
else
{

return RedirectToAction("Index", "Page");
}
}

Answer

I think the problem is that browser caches the page. That's why it doesn't reload the page after you click on back button. If you specify in headers that the page should not be cached, it should reload the page after hitting the back button. And then the user is refused.

However, to get it working might be tricky in some cases. See this Caching Tutorial for more info.

Comments