Back button and security

[eluser]marcin_koss[/eluser]
Ho do you prevent displaying cached page when the user has logged out but then pressed the back button?

You can even try it with this forum. Log in to the forum and go to the profile page. Pres logout and afterwords press back button on your browser. You will be brought back to the profile page that was cached by the browser. If it was a banking website designed that way and you used public computer to access your account, somebody could go and retrieve some important information.

How to avoid page caching by the browser?

[eluser]Schneider707[/eluser]
Wouldn't redirecting someone from a https page to an http page solve that problem?

[eluser]marcin_koss[/eluser]
I don't think so. I looked at the website of one of the banks I use. After logging out it still uses https and when I press back button it only takes me right to the login page.

[eluser]WanWizard[/eluser]
The quick and dirty way is to disable caching in the page header:

Code:

// make sure the page isn't cached
header("Cache-Control: no-cache, no-store, must-revalidate");
header("Pragma: no-cache");

You don't want to do that for every page, that will have quite an impact on your site performace.

Using the back button in itself is not a problem, the biggest issue is the re-post of a form from a cached page. To solve that, you have to add a nonce to the form (in a hidden field), and after a succesful post check if you haven't stored the nonce before. If you have, issue a 'duplicate post' warning, if not, store that somewhere (in the session) .

[eluser]marcin_koss[/eluser]
I have added already those headers to the application. When I press back button it still takes me back to the previous page even though the session has been unset. The site is meant to be used only by company employees so I don't want any pages to be cached or stored.

[eluser]tarciozemel[/eluser]
Maybe to use a page only to the logout and, after, redirect to a login screen, for example.

So, if the Back Button is pressed, the person will redirected to the login over and over again.

[eluser]WanWizard[/eluser]
[quote author="marcin_koss" date="1274474696"]I have added already those headers to the application. When I press back button it still takes me back to the previous page even though the session has been unset.[/quote]
Yes, but it should reload the page, and not show a cached version.

I use this p.e. on a page that lists unread messages. If I click on a message to read it, then use the back button to go back to the list, the message I just read is removed from the list.

In your case, it could detect that there is no valid session, and redirect to a login page.

[eluser]marcin_koss[/eluser]
[quote author="WanWizard" date="1274491979"]
In your case, it could detect that there is no valid session, and redirect to a login page.[/quote]

This is exactly how I do it, but since the page is not being refreshed it doesn't check if the session is available.

Here are all the meta tags I have in my header

Code:

<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Cache-Control" content="no-cache" />
<meta http-equiv="pragma" content="no-cache" />
<meta name="HandheldFriendly" content="true" />
<meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" />

[eluser]WanWizard[/eluser]
On what device and with which browser are you testing this?

[eluser]marcin_koss[/eluser]
Since it is still under development I'm testing it on my PC with Firefox and IE.