By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,853 Members | 974 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,853 IT Pros & Developers. It's quick & easy.

Forms Authentication No Cache AND avoiding Web Page Has Expired Ms

P: n/a
I have a site which I secure with forms authentication. When the user's
sign on and hit one of the secure pages, I have this line in my code to
ensure that the browser does not cache the page; and someone cannot navigate
back to an cached image of the page in theory after the user has signed off.

Response.Cache.SetCacheability(HttpCacheability.No Cache);

This works all right, except when the user decides to use the browser's back
button to navigate between a menu page and a web page inside the secure forms
authentication directory; the page they are going back to while they're
logged in in the secure directory gets expired and they get the Web Page Has
Expired Msg.
While they are signed in and in the secure directory I would like them to be
able to go back and forth to the area freely; but I want to destoy the cache
of the pages they visited upon logout or session expiration. Is there a way
to do this? Or to force the browser to reload a page completely when it's
expired?

Aug 15 '08 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Hello ch************************@discussions.microsoft.c om,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo
cI have a site which I secure with forms authentication. When the
cuser's sign on and hit one of the secure pages, I have this line in
cmy code to ensure that the browser does not cache the page; and
csomeone cannot navigate back to an cached image of the page in theory
cafter the user has signed off.
c>
cResponse.Cache.SetCacheability(HttpCacheability.N oCache);
c>
cThis works all right, except when the user decides to use the
cbrowser's back
cbutton to navigate between a menu page and a web page inside the
csecure forms
cauthentication directory; the page they are going back to while
cthey're
clogged in in the secure directory gets expired and they get the Web
cPage Has
cExpired Msg.
cWhile they are signed in and in the secure directory I would like
cthem to be
cable to go back and forth to the area freely; but I want to destoy
cthe cache
cof the pages they visited upon logout or session expiration. Is
cthere a way
cto do this? Or to force the browser to reload a page completely when
cit's
cexpired?
Aug 15 '08 #2

P: n/a
This is done via a asp login status control-which is a link; when clicked it
fires off the onloggingout event, which calls these two methods:

Session.RemoveAll();
Session.Abandon();

There's also the session timeout.

"Michael Nemtsev [MVP]" wrote:
Hello ch************************@discussions.microsoft.c om,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during logout/expiration?!

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo
cI have a site which I secure with forms authentication. When the
cuser's sign on and hit one of the secure pages, I have this line in
cmy code to ensure that the browser does not cache the page; and
csomeone cannot navigate back to an cached image of the page in theory
cafter the user has signed off.
c>
cResponse.Cache.SetCacheability(HttpCacheability.N oCache);
c>
cThis works all right, except when the user decides to use the
cbrowser's back
cbutton to navigate between a menu page and a web page inside the
csecure forms
cauthentication directory; the page they are going back to while
cthey're
clogged in in the secure directory gets expired and they get the Web
cPage Has
cExpired Msg.
cWhile they are signed in and in the secure directory I would like
cthem to be
cable to go back and forth to the area freely; but I want to destoy
cthe cache
cof the pages they visited upon logout or session expiration. Is
cthere a way
cto do this? Or to force the browser to reload a page completely when
cit's
cexpired?
Aug 15 '08 #3

P: n/a
Hi,

Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability.N oCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has
Expire
>thread-index: Acj/IUoHJ1WAnWAoRSWkKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700
>
This is done via a asp login status control-which is a link; when clicked
it
>fires off the onloggingout event, which calls these two methods:

Session.RemoveAll();
Session.Abandon();

There's also the session timeout.

"Michael Nemtsev [MVP]" wrote:
>Hello ch************************@discussions.microsoft.c om,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during
logout/expiration?!
>>
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and
we
>miss it, but that it is too low and we reach it" (c) Michelangelo
Aug 27 '08 #4

P: n/a
Steven,

Thank you for your response.

I have two issues out of this one central issue.

1.) The users complaining that they can't use the browser's back button to
go back to one of these secure pages without seeing "Web Page Has Expired,"
and having to use a specific Back button that I've put on the pages in the
application, which does a response.redirect to a page and does NOT give them
this message. They want to be able to use the browser's back button and have
the page reload itself. Without getting prompted for a reload, or seeing
some error page in lieu of the real page they're trying to get to.

2.) I don't want the forms authentication pages to be available in cache
after the user has timed out or has logged off, so that some other user using
the same PC can come along and view the "secure" page later without even
logging into the system and have the proper authentication for role.

So it sounds like from your last post this might be difficult to do. Are
there any solutions?

"Steven Cheng [MSFT]" wrote:
Hi,

Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability.N oCache);" to prevent some
pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base web
application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page is
flush out. Thus, if you originally enable cache for that page(when the user
is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by the
client browser since then. IMO, if security is the top priority, the best
approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Forms Authentication No Cache AND avoiding Web Page Has
Expire
thread-index: Acj/IUoHJ1WAnWAoRSWkKjlTao8O7Q==
X-WBNR-Posting-Host: 207.46.19.197
Date: Fri, 15 Aug 2008 14:53:02 -0700

This is done via a asp login status control-which is a link; when clicked
it
fires off the onloggingout event, which calls these two methods:

Session.RemoveAll();
Session.Abandon();

There's also the session timeout.

"Michael Nemtsev [MVP]" wrote:
Hello ch************************@discussions.microsoft.c om,

How do u handle session expiration and logout?! do u have special logout
stuff for your webservice and how do you clear session/cache during
logout/expiration?!
>
---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and
we
miss it, but that it is too low and we reach it" (c) Michelangelo

Aug 27 '08 #5

P: n/a
Thanks for your reply,

Yes, for the 1) one you mentioned, I'm afraid that's the case. the user has
to revisit the page if the original has got expired. That's the safe
strategy for that case.

Anyway, for expiring a page, we could only determine whether it should be
always un-cached on client-side, but not dynamically cache it or invalidate
its cache on client-side(depend on whether the user is logon or not).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: =?Utf-8?B?Y2hlY2tyYWlzZXJAY29tbXVuaXR5Lm5vc3BhbQ==?=
<ch************************@discussions.microsoft. com>
>Subject: Re: Forms Authentication No Cache AND avoiding Web Page Has Expire
Date: Wed, 27 Aug 2008 10:16:10 -0700
>
Steven,

Thank you for your response.

I have two issues out of this one central issue.

1.) The users complaining that they can't use the browser's back button
to
>go back to one of these secure pages without seeing "Web Page Has
Expired,"
>and having to use a specific Back button that I've put on the pages in the
application, which does a response.redirect to a page and does NOT give
them
>this message. They want to be able to use the browser's back button and
have
>the page reload itself. Without getting prompted for a reload, or seeing
some error page in lieu of the real page they're trying to get to.

2.) I don't want the forms authentication pages to be available in cache
after the user has timed out or has logged off, so that some other user
using
>the same PC can come along and view the "secure" page later without even
logging into the system and have the proper authentication for role.

So it sounds like from your last post this might be difficult to do. Are
there any solutions?

"Steven Cheng [MSFT]" wrote:
>Hi,

Based on my understanding, what you want to do is use
"Response.Cache.SetCacheability(HttpCacheability. NoCache);" to prevent
some
>pages from being cached at client-side. And you also want to allow the
cache when the current user has login , but remove the cache after it
logout or session timeout, correct?

If this is the case, I'm afraid it is quite difficult for browser base
web
>application. That's because the "Response.Cache.SetCacheability
HttpCacheability.NoCache);" just set the http cache header when the page
is
>flush out. Thus, if you originally enable cache for that page(when the
user
>is login at that time), you cannot access that cache or remove it from
ASP.NET code later(if the user logout), all the caches are controled by
the
>client browser since then. IMO, if security is the top priority, the
best
>approach is still disable caching for all those security sensitive pages
(for both login and logout users). How do you think?

Sincerely,

Steven Cheng

M
Aug 29 '08 #6

This discussion thread is closed

Replies have been disabled for this discussion.