I've password protected my site nicely with Access Manager and created a logout button and a timeout feature for inactive users using a meta tag. Problem is, if an unauthorized user has access to the (public) computer with the logout screen displayed, all they have to do is hit the back button to gain access to the last password protected page (although if they try to navigate through the site, then they are prompted for a username and password.) This last page could contain sensitive information, so I've been trying a number of ways to deactivate or make unusable the back button. I've tried various javascripts in the header, adding code to .htaccess, various php scripts to limit sessions or cache. None of them seem to work. I know that it's local cache that is storing the page. There must be a way to do it because all financial institutions do it. Is there a way?

(I know this is getting far out of the range of questions to just support CC software

Set the response.Expires = -1. The page will expire the second it is sent and the only way they can go back is to refresh the page. Which will then prompt for password.

Thanks, but I'm using justhost.com, and they don't support asp.net (that is asp isn't it?). They support Linux, Apache, MySQL and PHP environment (LAMP). I tried the equivalent <meta http-equiv="Expires" content="-1"> , but it didn't work.

http://www.htmlgoodies.com/tutorials/bu … Button.htm