asp.net - Why is a file still accessible (until cache is cleared) when anonymous access is denied through web.config on the parent folder? -

i have asp.net mvc website. , want deny access particular folder , contents on website. have done in web.config denying access anonymous users, using following:

<system.web>     <authorization>       <deny users="?" />     </authorization> </system.web> 

now facing problem, when try access file folder after logging out.

if try access file, text file, without logging in, browser url, redirects me login page expected.

the url example is: "https://www.mywebsite.com/content/mynotepad.txt".

if hit above url after logging in, file opens, again expected.

but after logout facing problem. file remains accessible after signing out. when ctrl+f5 redirects me login page.

i know caching causing happen, unable find solution this. appreciated.

if file cached, browser doesn't need hit server it.

if browser doesn't hit server it, matter whether server considers "logged in" or not?

if set cache setting of max-age=0, must-revalidate, proxy-revalidate browser consider response stale, , stale response never acceptable, , hit server again.

this can still used e-tag and/or last-modified because server can still return 304 indicate cached response indeed still usable. hence benefits of caching while maintaining check on whether user logged in.

if resource sensitive make users poking in browsers' caches manually unacceptable leak, need set no-cache cache header prevent that.