OAuth 2.0, how to properly handle browser back button that navigates to an exchange endpoint?

Question

I am implementing OAuth 2.0 protocol within my MVC application. Everything seem to working as expected except for one thing.

How do I handle a scenario with a browser back button when user is been redirected to their application after exchange end point has been completed? Problem is that browser caches state and code parameter and obviously code has already been exchanged.

I can always but some guard code to see if exception is thrown to send user back into original sign in flow that will redirect them to the default pages since there will be already SSO session. Not sure if this is a proper solution.

For information I am using Identity Server and mix of react, angular, mvc applications.

Answer 1

After doing more research I discovered that you can use 303 instead of 302 status code, in that case browsers should not not cache the first redirect per specification.

However based on the note in 302 section, most modern browsers implement 302 as if was 303 redirect and not caching the response.

The solution was, I started adding cache control header with no-cache value to my 302 redirects and browser does not take me back to the previous redirects.

Here is the documentation I took this from: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

I used 302 instead of 303 because I have multiple redirects and documentation states that in 303 first redirect should not be cached meaning all the other it will ignore.