Issue with cleaning browser cache and cookies on logout in ASP.NET MVC 3

It's quite common topic I think, but I can't resolve my problem. In my application build with ASP.NET MVC 3, I'm using form authentication along with output caching:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" name=".CMS" protection="All" timeout="43200" cookieless="UseCookies"/>
</authentication>

<caching>
  <outputCacheSettings>
    <outputCacheProfiles>
      <add name="Dynamic" duration="3600" location="Client" varyByParam="id" />
    </outputCacheProfiles>
  </outputCacheSettings>
</caching>

My LogOff action looks folowing:

public ActionResult LogOff()
{
    _formsService.开发者_运维问答SignOut();
    return RedirectToAction("Index", "Dynamic");
}

this action uses simple SignOut method:

public void SignOut()
{                        
    FormsAuthentication.SignOut();

    HttpContext.Current.Session.Abandon();

    // clean auth cookie
    HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, string.Empty);
    authCookie.Expires = DateTime.Now.AddDays(-1);
    HttpContext.Current.Response.Cookies.Add(authCookie);

    // clean session cookie    
    HttpCookie sessionCookie = new HttpCookie("ASP.NET_SessionId", string.Empty);
    sessionCookie.Expires = DateTime.Now.AddDays(-1);
    HttpContext.Current.Response.Cookies.Add(sessionCookie);
}

But problem is following:

the page http://localhost/app/dynamic/page is protected. I cannot enter this page untill I login. After login, I have access for browsing such page. After logout, and then entering the page again, unfortunately I can still view its content.

How to prevent access to protected pages after logout, when caching is enabled and I was previously visiting such pages ? What I'm doing wrong ? The cookies should be cleaned in another way ?

Regards

The page is still cached. You need to add the following response header:

cache-control : no-cache

which doesn't actually prevent caching. The cache-control response header's no-cache directive means that the browser

MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server.

If you really want to prevent caching, specify the no-store directive. That tells the browser that it

MUST NOT store any part of either this response or the request that elicited it. This directive applies to both non-shared and shared caches. "MUST NOT store" in this context means that the cache MUST NOT intentionally store the information in non-volatile storage, and MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible after forwarding it.

See the HTTP 1.1 specs for details on cache-control and its directives.

Take a look at this post Asp.Net Mvc Can Not Log Out . I believe it should provide the code snippet needed to logout and clear cache.

You can't clear then browser cache from the server.

IMO the only right thing to do is invalidating the cookie on the server side(i.e. even if somebody gets to know the cookie he can't use it anymore), and optionally deleting the cookie on the client.

Just deleting the cookie isn't enough IMO.

Have you veriifed that browser actually makes request to the page http://localhost/app/dynamic/page (i.e. using Fiddler)?

If page is served from browser's cahce you need to set cache control header on that app/dynamic/page so browser is forced to query the page from server.

If page is retrived from server than see if cookies are still there (your cookie code looks ok, but still something could be wrong) OR if server side caching kicks in.