Thursday, November 19, 2009

Tricky Back Button

I'm working on a web portal that uses CAS authentication, and would like to prevent someone from using the browser back button to see secure/private contents of a logged out user. It basically requires disabling the browser cache for dynamically generated pages. Obviously it's nothing new and got to have tons of perfect solutions out there. However, after spending days poking online, following tricks satisfied me a lazy amateur web developer:

  • JavaScript onUnload event: either use
     <body onunload="">
    at the beginning of the HTML page, or
     <script> window.onbeforeunload = function () {} <script> 
    before the end of HTML body tag.

  • Above worked with Safari and IE, but not Firefox 3.5. Next trick is to use HTTP Cache-Control attributes in a response header. Django code example:

    response['Pragma'] = 'no-cache'
    response['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
    response['Expires'] = 0

  • I have a form using the POST method in the page. After logging out, browser back button would resubmit the form information to the expired user session, and cause the browser to display unexpected connection drop error. Redirecting the page using
    right after the form submission solved the issue.

1 comment:

Anonymous said...

My friend and I were recently talking about how we as human beings are so hooked onto electronics. Reading this post makes me think back to that debate we had, and just how inseparable from electronics we have all become.

I don't mean this in a bad way, of course! Societal concerns aside... I just hope that as the price of memory falls, the possibility of copying our brains onto a digital medium becomes a true reality. It's one of the things I really wish I could experience in my lifetime.

(Posted on Nintendo DS running [url=]R4[/url] DS SerVo)