Is this behavior because of cached page?

I have a new project (my first day at my new job) . It's MVC, C#, VS 2017.

First scenario that works fine
1. User logs in and there's a "log out" button (other stuff too)
2. User clicks on "log out" and is directed back to the login.
3. I clicked on browser's "forward" button and got back to the site without logging back in. At this point, if I clicked on any links, I got logged out. This is good.

Second scenario that doesn't work. What's the solution for this? is this because the page was cached?

1. User logs in and there's a "log out" button (other stuff too)
2. I did NOT click on "log out". I just clicked brower's back button and got back to the login page
3. On login page, the password field is empty.
3. I clicked on browser's "forward" button and got back to the site without logging back in. At this point, if I clicked on any links, I do not get logged out. This is bad.

So, when user uses the "log out" button, the site works fine and user can't click on links in the website and gets logged out when they try to do that.
      When user does NOT use the log out button, even tho user has not entered a password to log back in, browser's forward button gets the user back to the site and user can do whatever.


My possible solution
If user is on log in page, some how disable browser's forward button
LVL 8
CamilliaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
If user is on log in page, some how disable browser's forward button
No, that won't work.

What you describe in your Second scenario is perfectly normal behavior.  Login isn't determined by what page they are on but usually whether a cookie for the login or session is still valid.  Forward and Back don't normally re-fetch the page from the server, just reloads it from the browser cache.  There is no reason to think that they should be logged out in your Second scenario.
0
Jim RiddlesPrepress/OMS SpecialistCommented:
Your logic is flawed on the second scenario.

Consider that you accessed a site, and logged in.  If you click your browser's back button, you have not logged out, so when you click the browser's forward button, you should still be logged in and be able to click links.  This isn't a flaw...it is expected behavior.

I am also somewhat confused by your first scenario.  You claim that someone logs in, then they log out, and are brought back to the login page.  If that is true, then they shouldn't be able to go forward using their browser's back button, unless you are using JavaScript to send them to the previous page in their navigation history, while also clearing out any session data.
0
CamilliaAuthor Commented:
There is no reason to think that they should be logged out in your Second scenario

Correct, they're not logged out.

Forward and Back don't normally re-fetch the page from the server, just reloads it from the browser cache

That was my thought that it's cache

Login isn't determined by what page they are on but usually whether a cookie for the login or session is still valid

So in scenario 2..where user doesn't click "log out", goes back to log in page, clicks on "forward" button of browser and still can get to everything in the site....how can this be fixed?  so when user clicks on the back button and gets to the login page..should session be cleared at this point? when log in page is loaded, should we clear all cookies/sessions?


Jim - they probably use Javascript in scenario one to clear session or whatever when user clicks on "log out"
0
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Jim RiddlesPrepress/OMS SpecialistCommented:
As Dave and I already stated, the current behavior is the correct and expected behavior.  I'm not certain what value you gain by forcing the session to clear if someone uses their back button on the browser to return to the login page.  Can you explain what the use case is?
0
CamilliaAuthor Commented:
The issue is when the user clicks on the back button, now they're on log in page. Now user clicks on the forward button and goes right back in to the site without logging back in. It's ok to click back, back, back, land on the login page, then click forward and go in the site without logging in... shouldn't user be prevented from going to the site when they haven't entered their password? I know it's caching but still...user can just click forward and go inside the site...

It's not a security issue?

---------------------------------------

I think if I add a code like this, the cache gets disabled and user is forced to use the "log out" button and not the browser's back button. It's my first day at this job and looks like no one has come across this issue

   <SCRIPT type="text/javascript">
     
        function noBack() { window.history.forward() }
        noBack();
        window.onload = noBack;
        window.onpageshow = function (evt) { if (evt.persisted) noBack() }
        window.onunload = function () { void (0) }

    </SCRIPT>
    

Open in new window

0
Dave BaldwinFixer of ProblemsCommented:
It is not a security issue.  It is a misunderstanding on your part about how it works.  Once a party is logged in, they can go back and forward all they want until they logout or their login expires for some reason.  It is not an issue and your code above will cause unexpected results.  Don't do it.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CamilliaAuthor Commented:
their login expires for some reason

Yeah , they do have a timeout in their code.

Once a party is logged in, they can go back and forward all they want
My thinking was that it's a security issue if user is on the login page, after going back and forth. Someone else can just click forward on that user's browser (for whatever reason the user is not at their desk) and the second user can change the first user's password or whatever.

It is a misunderstanding on your part about how it works
I just don't understand how this can't be a security issue. My explanation in paragraph above. I know user can go back and forth. What you said about user can do whatever until their logged out does make sense.

I'm going to work. I'll send screenshots just to make sure. I know I'm beating it to death but for my own understanding, I'll post screenshots.


Now, a lesson learned for me. I'm new at this job and already reported this is a potential issue. I should've checked here or researched more.
0
CamilliaAuthor Commented:
Just to make sure, here are the screenshots. Thanks for sticking with this question.

1. User logs in
Login
2. User clicks on , for example, change password
second screen
3. User clicks browser's back button and lands on login page
Login page again
4 . User clicks on browser's forward button and lands on change password page again. Without logging in.
so, this is ok, no security issue?

Second question - what adverse effects that JS code might cause?
0
Jim RiddlesPrepress/OMS SpecialistCommented:
You are correct...there is no security issue there.  If the user intended to log out, they must click the log out button.  Using the browser's back button to get back to the login page will not log them out on any site that I have encountered.
0
CamilliaAuthor Commented:
Using the browser's back button to get back to the login page will not log them out on any site that I have encountered.

I know it won't log them out when they click on the browser's back button. My thought was to have that JS code to prevent the user from browser click (what I explained above). Per Dave and you, I should leave it as is.
0
CamilliaAuthor Commented:
So, my question was NOT why the user is not logged out when they use browser's back button.


My question was that should that behavior be fixed  and if so, use that JS code but Dave not to do that and to leave it as is.

Now, what are the drawbacks if I implement that JS code?
0
Jim RiddlesPrepress/OMS SpecialistCommented:
The drawbacks are that you break the way that user's expect their browser to work, and for what gain?  My point is that there is nothing to gain from implementing that code, only to potentially deal with the headache for whoever has to answer the inevitable customer service calls when the user thinks the site is broken.

In what way do you believe that it is a security risk for a user to browse back to the login page and then browse forward and continue using the site?
0
CamilliaAuthor Commented:
In what way do you believe that it is a security risk for a user to browse back to the login page and then browse forward and continue using the site?

The only scenario I can think of is if the user walks away without locking their computer and someone else will have access to their computer.
0
Jim RiddlesPrepress/OMS SpecialistCommented:
The code you are suggesting would not solve that issue.  The only way to solve that issue is to set the session timeout to such a low value as to make your site unbearable for your users.

The only real solution to the type of problem you are looking at fixing is a good employee handbook detailing the employee's responsibilities to lock their machine whenever they walk away, thorough user training, and consistent application of that policy.  Make it clear that it is the employee's responsibility to safeguard company IP, and failure to do so will have real consequences, up to and including termination.
2
CamilliaAuthor Commented:
Thanks, Jim. All makes sense.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.