How to disable the browser back button in my mvc from only my login page?

Question

I tried this method by putting it in my login.cshtml but it doesnt work there at all. Then I tried putting it in my _Layout.cshtml but then it does it's job while affecting the entire website (as expected). Any tips on where I should put or how I should manipulate the code?

here it is here:

function preventBack() { window.history.forward(); }
    setTimeout("preventBack()", 0);

disabling back/forward is horrible from a user experience perspective. what if someone DOESN'T want to log in and landed on the login page accidentally? — Marc B, Dec 10 '14 at 14:10
@MarcB what do you propose then? I have this problem in mvc, where when I log out (and clear sessions) you can click back in the browser and see sensitive information. — Vrankela, Dec 10 '14 at 14:16
that's a browser cache problem... if it's sensitive, then output the page with no-cache headers. — Marc B, Dec 10 '14 at 14:21
@Vrankela This is an example of an [XY Problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). Your goal was to prevent someone from seeing sensitive data, but you wanted to do that by disabling the back button. What you should have asked from the beginning was "how do I prevent people from accessing sensitive cached information after logging out?" — mason, Dec 11 '14 at 16:49
@mason I'm going to listen to your advice, should I post a new question or edit the existing one? — Vrankela, Dec 12 '14 at 08:43
You can edit this question, it's still salvageable. After you do that, if I were you I would personally unaccept the JavaScript based answer and ping Marc B and ask him to go into detail on his proposed solution in an answer. — mason, Dec 12 '14 at 14:17

kharr1027 · Accepted Answer · 2014-12-11T21:20:39.750

2

I recently used this in an MVC project. Maybe you can put it on the page that the login redirects to.

//kill all back button functionality
function noBack() { window.history.forward() }
noBack();
window.onload = noBack;
window.onpageshow = function(evt) { if (evt.persisted) noBack() }
window.onunload = function() { void (0) }

Do be careful though if you are using this for security reasons, as Javascript is not the most ideal solution to handle secure logic within a site. It is easy to get around since the Javascript code is executed on the clients PC and/or it can be disabled by the browser.

edited Dec 11 '14 at 21:20

answered Dec 10 '14 at 14:15

kharr1027

61
3

this accomplished to prevent me to go back to the pageLoad (the page the login redirects to) – Vrankela Dec 10 '14 at 14:23
1

So if someone disabled JavaScript, they could get around this "security" measure? – mason Dec 10 '14 at 14:24
But I can still go back to a third page after I log out. So what do you suggest I do instead of doing this in javascript? – Vrankela Dec 10 '14 at 14:26
@kharr1027 how do I limit this so that it works from the login page only? – Vrankela Dec 10 '14 at 14:35
@kharr1027 how do I put this code into my _Layout (my master layout) view and put an if function to check if the back button request is coming only from the login page? – Vrankela Dec 10 '14 at 14:40
uhm your using web pages, i would think that you could put it just in the page the login redirects to on success. this would prevent them from going back to the login page. – kharr1027 Dec 11 '14 at 16:33
@mason yes if js was disabled it would prevent it, but i don't see that happen to often these days. i would suggest that if this is a security issue you should probably think about a redesign of your architecture and not depend on client side code for security measures. – kharr1027 Dec 11 '14 at 16:34
@kharr1027 That's unfortunate that you don't see it as a security issue, because any sensitive data that can be circumvented by simply disabling client side code is a horrible security measure. While the average person doesn't go around with JS disabled, anyone that is actively attempting to obtain sensitive data is likely to do so. So the real solution in this case is what Marc B said in the question comments. – mason Dec 11 '14 at 16:44
@mason I didn't say I did not see this as a security issue, I was simply stating that if his reason for wanting to disable the back button was for a security reason I would rethink my architecture. I thought I was clear in my previous comment that JS is not a language you want to depend on for security. – kharr1027 Dec 11 '14 at 19:42
Yes, but my point is if you don't want to rely on client side code for security, then your entire answer is invalid. – mason Dec 11 '14 at 19:56
Yes, it is. He didn't state it at first, but usually when someone asks a question about how to prevent going back, it means they're trying to protect sensitive information. It takes a little intuition, but Marc B correctly sussed it out. Even though it's an XY problem, you should update your answer to reflect the secure practice-it's not to answer a question about a security issue with an insecure answer. This answer is to all the future people that read this question too, so you have to make sure you're not leading people down the wrong path. – mason Dec 11 '14 at 21:09
I think it's presumptuous to assume that this is all about security. There are other reasons to inhibit the back button which are unrelated to security and all too often do we see respondents trying to "read people's minds" as opposed to just answering the question posed – stormypete Sep 07 '17 at 22:17

Mathieu Labrie Parent · Answer 2 · 2014-12-10T14:24:15.900

0

You can put it in the layout but active it only if your on the login page :

 if(window.location.href.toLowerCase().indexOf("login") > -1)
 {
     function preventBack() { window.history.forward(); }
     setTimeout("preventBack()", 0);
 }

edited Dec 10 '14 at 14:24

answered Dec 10 '14 at 14:11

Mathieu Labrie Parent

2,598
1
9
10

no success :( what does the > -1 do by the way? the name in the indexOf is the .cshtml right? – Vrankela Dec 10 '14 at 14:20
The indexOf is looking for a part of the string in the url. It return the index of the search string in the ole string. So if it' > then 0 mean you founded the string. What is you login url ? Put the right string to search. I edited my answer to add a lowercase to avoid the case sensitive. – Mathieu Labrie Parent Dec 10 '14 at 14:23
So if someone disabled JavaScript, they could get around this "security" measure? – mason Dec 10 '14 at 14:24
if someone disabled JavaScript, he can't browse on the web. Jquery is use everywhere these days – Mathieu Labrie Parent Dec 10 '14 at 14:25
@MathieuLabrieParent You can browse the web without JavaScript. It breaks a lot of functionality, but for anyone attempting to obtain sensitive data that's not really an issue. Since the purpose of this question was to protect sensitive data, and your answer is really not secure at all, I have to downvote. And sidenote, jQuery is not synonymous with JavaScript. – mason Dec 11 '14 at 16:47

How to disable the browser back button in my mvc from only my login page?

2 Answers2

Linked