Geek Answers Handbook

How to get the user to log out when trying to navigate using the browser navigation buttons?

Project context

The client requires that users of the site (when they are logged in and can view their personal information) are forced to log out if they try to navigate using the browser navigation buttons.

My research

A search around on SO seems to indicate that most of the problems people have to deal with are stopping people from clicking the back back button when they log out, such as this and. The difference is that I need to β€œstop” users from navigating back in history (and even forward, although I don’t see how users can move forward in history if they cannot go back first) even if they are logged in, which makes it mandatory to use this navigation.

The solution I have in mind

I am going to capture a browser event when the user clicks the back button and records them. However, as discussed here , it seems that you can only "do this" using Javascript and not use server-side code. My problem is that users can get around it by simply disabling Javascript in their browsers.

My question

So my question is: is there a way to capture the browser event on the server side and register it there? If not, what are the alternatives to achieving my goal?

+4
source share
7 answers

I would say that your best option is to track the session.

You send the client a timestamp when the request was processed by your server or even simpler: a counter depending on the user (which you send to the client each time), and the server side keeps track of the last time stamp / counter sent.

If the user clicks the "Back" button, he will send you the old label / counter instead of the last current one, and you can display it on the server side.

That should do the trick.

To make sure that the trick is done and makes it independent of javascript, I would say that you can put this value in a hidden parameter or, possibly, in a hidden form of the field so that the user does not see it, but it is always sent to your server.

Hope this helps!

+7
source

What I did was create a single page, 1 html document, and then use AJAX to navigate the entire site. When the user clicks the back button, you will be taken to the index page, which is the login page. For login I use AJAX, which I redirect only on the server side. The only problem is that the user presses the forward button, but the good thing is not JS navigation.

+1
source

If this requires the navigation buttons of the browser trap and log out - a simpler alternative never displays these navigation buttons in the first place. What is the use if the user cannot use or go back and forth.

Open a new browser without a toolbar, menu bar from your web application. When the user closes the window, delay the event and exit the session. Thus, the solution will remain simple.

My 2c

+1
source

Using javascript is not good practice because it is on the client side, and what is done on the client side can always be bypassed by the client.

Instead, you should use a session timeout.

0
source

Sorry, button selection is not possible on its own.

Since this is a security issue, the solution (without javascript) would be:

  • use encoded pages that warn you of a transition from the system or to an unregistered page. Even mutual authentication can fit your needs.

authentication

leaving

0
source

If I understand your question correctly:

You cannot avoid sending a request to your server by the user, the user has full control over his / her browser if you do not want to send the user modified version for the intranet team (from open source projects).

Without javascript, the only thing you can do is send a specific parameter via GET by clicking on the desired navigation button. If the parameter is present, you allow viewing the next / previous page, otherwise the user will be logged out.

Obviously, the user can get around this using browser developer tools. But you cannot completely control the behavior of the user interface at this level.

0
source

If I'm right, you are talking about NO-Cache in broswer. you can set it all as follows:

response.setHeader("pragma", "no-cache"); response.setHeader("Cache-Control", "no-cache"); response.setHeader("Cache-Control", "no-store"); response.addDateHeader("Expires", -1); response.setDateHeader("max-age", 0); response.setIntHeader ("Expires", -1); prevents caching at the proxy server response.addHeader("cache-Control", "private");

And then you can define a filter that checks the session on each page. When the user logs in, then set the attribute in the session, and when you log out, delete it.

0
source

More articles:


All Articles