Turning to the comments as well as to the question, I'm not sure that you are for something that will log the user out after a certain time regardless of activity or immediately after a period of inactivity.
If you are happy to use the standard ASP.NET mechanisms, this can be done for you without any important work:
Set up a membership provider .
Make sure your section defines loginUrl:
<authentication mode="Forms"> <forms loginUrl="login.aspx" /> </authentication>
You can set a timeout other than the 30 minute default by using the "timeout" attribute on the element:
<authentication mode="Forms"> <forms loginUrl="login.aspx" timeout="15"/> </authentication>
This will lead to the user logging out after 15 minutes of inactivity on your site (either with an open browser without javascript beating, or if they spend 15 minutes on another site).
Deny access to anonymous users
<authorization> <deny users="?" /> </authorization>
Then, make sure that your login, registration pages, and possibly forgotten passwords are accessible to all users using the location element:
<location path="Logon.aspx"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> <location path="Register.aspx"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location>
This way, when the expiration date of the cookie for user authentication is redirected to the URL specified in the loginUrl element on your forms page.
If you are not using standard ASP.NET mechanisms, you probably would be better off implementing a base page model.
Create a new class that inherits System.Web.UI.Page, which will check the user login status, and if they are not logged in / have not been executed, redirect them to the login page.
On your pages that should be blocked, instead of inheriting from System.Web.UI.Page, you inherit your base page class (an example of this type of setup to do something like this), check the setup on each page) can be seen in my answer here
Your login page will probably be needed in order for the JS frame to be broken in it to jump out of the iFrame:
if (top!=self.parent){ top.location=self.parent.location; }
Or do you say that by clicking "back", they can still see your pages through the browsers cache? In this case, you will need to play with the cache headers on each page:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Well, in this case, you will also need a JS timer object to execute Location.Replace on the login page - use this in the user control on each page (or, even better, on the main page) to automatically redirect the user after n minutes:
<script type="text/javascript"> setTimeout('location.Replace("/login.aspx")', 900000); </script>
The time is in milliseconds, so this will close them after 15 minutes, and there is no need to get the entire jQuery infrastructure just for that.
You can also see the meta refresh tag:
<meta http-equiv="refresh" content="900;url=http://example.com/login.aspx" />
This will force the browser to refresh to the login page in 15 minutes (in a matter of seconds).