Distinguish between browser close/refresh/back events for a secure site (asp.net 2.0)
This is a question I have also been trying to answer (and mainly finding only posts related to disabling back button navigation or doing a check if not the most recent page in browser history then tell the browser to go forward again, which is either ineffective or degrades user experience).
Basic premise of the issue is:
1. User logs into secure application.
2. User views sensitive data.
3. User (not knowing any better) leaves browser window open (even though they may have closed the Tab that was displaying the website, or navigated to a page outside of the site).
4. User or Second User opens new tab and either:
a. uses history to return to previous page containing sensitive data, or
b. types url of login page to web app, but due to persistence of asp.net (http-only) session cookie (not accessible to client side script), is automatically returned to the logged in page of the previous user displaying sensitive data.
If it is the same user who finds themselves still logged in, this may affect their perception of site security. If it is a separate user who views this data, then in this particular application, that would be a breach of confidentality and data protection).
I checked a few different 3rd party secure sites (e.g. online bank) and so far found 2 that have solved the issue (and one that had not) - for major browsers (assuming both javascipt and cookies are available, otherwise they probably dont allow access).
Date Tue, 24 Feb 2009 19:59:58 GMT
Cache-Control no-cache, no-store
Content-Type text/html; charset=utf-8
which I think is acheiving the desired effect, though I see that the pragma no-cache is listed as deprecated.
The only thing I have not now managed to do regards the functionality I discussed was allowing the user to click their browser refresh button and remain in the site.
However, having checked a couple of third party sites that manage to detect and silently log out the user as they navigate away to an external link and not offer to resubmit the form when the same entry is loaded from the browser history before the session has expired while still allowing browser back/forward button navigation to work internally within the site - as I now do, I have found that in each case they also either return the user to the login page when the browser refresh button is clicked (as mine does) or in some cases redirect to an error page.
I guess it's a compromise I can accept.