I rarely post about development stuff, but this one had me stumped for a couple of hours, so I thought I’d give my solution here.
The issue arises when a user logs out of a protected section of a website. Especially on websites that deal with sensitive data and tools such as banking, you want to make sure that when the user has logged out, they have truly logged out. Whilst there are many forms of eloquently-designed login functionality around, the basic gist is that when you sign in to a website, once your credentials are authenticated they will be stored in the session. So long as the session hasn’t expired, each page load in this protected area of the website should allow you to do whatever it is you’re on the site to do. Logout functionality means clearing and/or abandoning the session. This means that the next time a server receives an HTTP request from that user, it will see that the session is empty and will prompt the user to login again.
That’s all well and good till you come up against caching. One simple way of testing whether this affects your website is to sign in to the protected area, then sign out, then press the back button. If the browser has cached the previous page, it won’t perform a page reload, meaning that no HTTP request is sent to the server, so no authentication check is made as to whether the user should be seeing that page. Therefore, any solution to this must be dealt with on the client-side.
After searching for various possible solutions, I came across this article here which is wonderfully succinct and lists the pros/cons of each approach. His final suggestion for solving the problem is the one I’d recommend. It essentially involves creating a web method in your logout page which checks to see whether or not the user is still authenticated, then uses jQuery to send an Ajax message to that method and, if the answer is no, you redirect the user to the login page. This is undoubtedly the most cross-browser-friendly solution, although for some reason it didn’t seem to work in Firefox.
window.addEventListener(‘pageshow’, YourCheckSessionFunctionName, false);
This way, if the user clicks back, within a split second the redirect kicks in and they’re faced with the login screen. Job done.