Browsers cache pages. We all know that. But most browsers also cache SSL secured pages. Such pages potentially contain sensitive data and you don’t want that anybody who has file access to your computer (administrator, remote attacker, virus or trojan) can read that data in your browser cache, right?
You can double check IE’s settings in Internet Options->Advanced->Security->Do not save encrypted pages to disk.
To disable client side caching (at least for RFC compliant browsers) in ASP.NET, you can use the OutputCache directive, e.g.
<%@ OutputCache Location=”None” VaryByParam=”none” %>
You can also define a cache profile for sensitive pages in web.config:
<add name=“Sensitive“ location=“None“ varyByParam=“none“/>
…and refer to it on a page:
<%@ OutputCache CacheProfile=”Sensitive” %>
If you want to programmatically disable caching (e.g. in a base page or module) you can do this: