views:

262

answers:

2

I found out that when pressing back button it gets previous page from browser cache even if I send following headers:

Test1.aspx

Server              ASP.NET Development Server/9.0.0.0
Date         Wed, 24 Mar 2010 17:49:40 GMT
X-AspNet-Version 2.0.50727
Location         Test2.aspx
Cache-Control no-cache, no-store
Pragma         no-cache
Expires         -1
Content-Type text/html; charset=utf-8
Content-Length 189
Connection         Close
+1  A: 

Cache-control and such things only tell browser NOT to save in cache the downloaded stuff (js, css, images, etc.). It does not relate with the History of visited pages.

You shouldn't try to modify browser's data. Instead, you'd handle events and stop the ones you don't want to happen in your site.

Alfabravo
What if I have a sensitive data. Say a public vote kiosk. User choses president candidate and then clicks submit. Now next voter goes to kiosk, presses back button and sees what candidate previous user has selected, because browser didn't even try to get latest version from server and displayed his from cache. What should I do then?
Sergej Andrejev
It means your app behaves wrong. Transactions, sessions and that kind of things are meant to handle restrictions in access to sensitive data. When webapps say "remember to close your session", they mean it!Also, if your app places confidential data in browser's cache, it means you're opening a new security breach. Plain and simple (unless you cipher it!). You can't rely on unauthorized modifications to browser's data (by definition it is on user's side) in order to provide security. Too much like DRM, putting all the security in the same side.
Alfabravo
+1  A: 

expires should be a date+timestamp and cache-control"s "must-revalidata" & "max-age" might help as well?

Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
futtta
Actually the answer was that simple. But I want to aware others. Browsers don't cache pages, they cache requests. So if you have one page Test.aspx with one link to itself. And user first opens the page, then clicks on the link (here no-cache is added) and then presses back button the page will be retrieved from the cache because first time it was downloaded without no-cache directive
Sergej Andrejev
well, browsers cache responses, which in general are pages, no? and if i'm not mistaking, "no-cache" will already be in the http response header even upon the first request.
futtta