I have an MVC app that uses [Authorize] to protect the private bits. When I select the SignOut() URL it signs me out but if I hit the back button on my browser the it goes to the secure page and even lets me use the form. The action takes place and then it shows that I’m signed out. The problem is that it performs the secured action (inserting a row into my database). Then I can use the back button again and do it all over.
Am I missing something important? It seems like it could be a really big security issue.
Still allows me to use the back button to see the form but does not allow it to post and insert a row into the database. Trying to submit the form redirects to the login page. This is much better but I’d still like to not show the form at all. Using the [Authorize] decoration I shouldn’t have to test for IsAuthenticated, should I?
if (!User.Identity.IsAuthenticated)
{return RedirectToAction("LogOn", "Account");}
Well, the first back is probably using the browser’s cache, not too much one can do on the server side save force expire the page. So long as they can’t submit the form they can’t do too much harm, no?
