HOW TO: Prevent users from pressing back button after signing out from a SharePoint site
This blog post is a contribution from Charls Tom Jacob, an engineer with the SharePoint Developer Support team.
Scenario:
In SharePoint, the sign out is complete only when you actually close the browser window. As shown below, SharePoint asks you to close the browser after sign out: “You must close your browser to complete the sign out process”. If the browser is Internet Explorer, it goes an extra mile showing the confirmation box to close the current window and closes it if you say yes. This is done by calling the window.close() JavaScript function on the page load.
But that’s not the case with other browsers (Firefox, Chrome etc.,), which does not allow closing the window using script. Again, IE leaves it to the user to decide whether to close the window or not.
Problem:
You might be using your SharePoint site to store any sensitive information like order/purchase details or even credit card numbers, or anything that’s confidential. You have wide variety of users who are technical and non-technical, who access the site from the intranet/extranet or from public internet cafes. Suppose the user is viewing or editing some items and decides to sign out of the site, without bothering to close the browser window, anyone can get to the previous page simply by pressing the browser back button, leaving the sensitive data open to others.
This happens as the page is served from the browser cache and not loaded from the server. If you reload the page, SharePoint senses that you have logged out of the site and takes you to the login page. Of course caching is a good thing as it helps to serve the pages faster, but this is a downside as it’s controlled by the browser and not the server.
Solution:
Now coming back to the title of the blog, most easy solution would be to prevent users from pressing the back button – ultimately to disable it! But that’s not going to be very easy, you may find ‘n’ number of techniques claiming to do that but none of them would serve the purpose across different browsers.
So in the SharePoint context (rather ASP.NET), solution is to develop a custom master page and a few lines of code, instructing the browser not to cache the page. When the page is not cached, browser will force itself to send a request to the server each time the page is requested. You many not want to do this for all the pages/sites as it again impacts performance.
Here I won’t be going into the details of how to set the master page dynamically, but use a custom master page on a site, that does no cache, hence “secures” your data after a sign out.
Steps:
1. Created a master page using Visual Studio. Call it NoCache.master.
2. To preserve the look and feel, copy the contents from your site master page (Download the master page from the master page gallery).
3. Modify the Master tag as below:
<%@ Master language="C#" Inherits="MasterPageWithCodeBehind.MasterPageModule.NoCache, MasterPageWithCodeBehind, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ea0870212dba35bb" %>
4. Implement the code-behind as below:
namespace MasterPageWithCodeBehind.MasterPageModule
{
public class NoCache : MasterPage
{
protected System.Web.UI.HtmlControls.HtmlGenericControl divRibbonContainer;
protected void Page_Load(object sender, EventArgs e)
{
// IE
Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
// Others
Response.Cache.SetNoStore();
Response.Write("This is a custom master page that prevents caching!!");
}
}
}
This code instructs the browser not to cache the page.
5. Deploy this master page and set it as your site’s default master page.
6. Sign out from the SharePoint site, press back button. You will be taken to the SharePoint login page, instead of the last page you visited!
Again, this is not “the best” way to accomplish this, of course as we will be missing out on the goodness that caching has to offer. But this is one of the ways!
Hope you found this helpful 