The Back button has been the bane of web developers since before anyone knew what Ajax was. The answer is actually pretty straight forward, but probably not what you want to hear. Let's assume that your application first authenticates a user and then issues that user a "token" in the form of an HTTP cookie. That cookie is either stored in browser memory until the browser is closed, or stored in the file system to live on between browser sessions. In any case, as long as the browser is open that cookie is still resident in memory and will be transmitted back to the site on each new request. And since this is acting as intended, the question then becomes, how do I get rid of the cookie when the user navigates away from the site. HTTP is a stateless protocol, which in this case means that if you're on a site, and then click on a link to a new site, the browser doesn't send any new information to the old site before leaving. From the server's perspective you've just stopped asking questions. So given this, you only have a few option, none of which are particularly great:
-
More aggressively control session timeout - this could actually backfire on you if users pause often in your application, but it otherwise might ensure that the session token expires while the user is away looking at another site. You could employ an Ajax call under the hood of each page that asynchronously polls the web server as a keep-alive. Microsoft's OWA does this. That way the user session remains active as long as the page is resident and the JavaScript call is firing. When they leave the page the JS would stop firing and the aggressive timeout would kick in.
-
Don't cache anything on your site - a terrible idea, but basically when the user hits the back button, a lot of the content (sometimes all of it) will come from their local cache and an actual request won't go to the server until they click on something. This may have to be an acceptable risk assuming you've found a good way to delete the cookie. The Back button may get them back to your site, but it'll only be a shadow of your site and any new activity will require re-authentication. Make sure of course that you include functionality that sends them back to the logon page if the cookie is missing.
The thing is, unless you get rid of the cookie, users will be able to continue access without re-authenticating, and finding a way to delete the cookie is really the hard part.