SharePoint prevent exposing sensitive page on web browser back button


The idea behind this trick is that the page should not be cached by the browser and reloaded every time the user access it so when you logout and try the back button of the browser instead of cached data, a request to the server would be send and it would redirect you to the login page in case this is a secured page. In order to achieve this the proper response headers should be applied so the browser would now not to cache this page. Response Headers Cache-Control:no-cache, no-store, must-revalidate Expires:-1 Pragma:no-cache As of C#/SharePoint code in case you have page with control exposing sensitive data and you would like to disable viewing it when the user logout and click on the back button then make a method:

using System;
using System.Web;

namespace MySPSolution
{
    class Utils
    {
        public static void DisableBrowserCache()
        {
            HttpContext.Current.Response.Cache.SetNoStore();
            HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
            HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
            //those bellow are set up automatically, but if not .. uncomment.
            //HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddYears(-1));
            //HttpContext.Current.Response.AppendHeader("Pragma", "no-cache"); 
        }
    }
}
... then once you have the control created use the above method within the control:

namespace SPProject.ControlTemplates.YourNamespace
{
    public partial class YourControl: UserControl
    {
        protected override void OnInit(EventArgs e)
        {
            Utils.DisableBrowserCache();
            base.OnInit(e);
        }
    }
}
Please note that no web browser caching would bring additional overhead for the server so use it for the pages where there is need. Cheers
Posted on

Tags: SharePoint headers, ASP.NET Control headers, Web browser back button on logout, Web browser not to cache

Comments