I'm working on a web portal that uses CAS authentication, and would like to prevent someone from using the browser back button to see secure/private contents of a logged out user. It basically requires disabling the browser cache for dynamically generated pages. Obviously it's nothing new and got to have tons of perfect solutions out there. However, after spending days poking online, following tricks satisfied me a lazy amateur web developer:
- JavaScript onUnload event: either use
<body onunload="">
at the beginning of the HTML page, or
<script> window.onbeforeunload = function () {} <script> before the end of HTML body tag.
- Above worked with Safari and IE, but not Firefox 3.5. Next trick is to use HTTP Cache-Control attributes in a response header. Django code example:
response['Pragma'] = 'no-cache'
response['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
response['Expires'] = 0
- I have a form using the POST method in the page. After logging out, browser back button would resubmit the form information to the expired user session, and cause the browser to display unexpected connection drop error. Redirecting the page using
window.location.replace(URL)
right after the form submission solved the issue.
