Trying to use coldfusion to pass form data around for a poast/redirect/get

Question

I have to fix a security vulnerability on a coldfusion page containing a FORM where we do not want the user to be able to press back+reload on the browser, and see the fields filled in with what they had typed prior to submitting the form.

The site has a .dfm page which loads a template for another .cfm page. The 2nd .cfm page has the FORM object, which has as it's ACTION the first .cfm page, it's a search criteria page basically which will return results.

I tried changing the ACTION for the FORM on the 2nd .cfm page to point to a temp.cfm page which had the following code

cfheader statuscode="302" statustext="Moved Temporarily" cfheader name="Location" value="firstpage.cfm" cfabort

so that the browser would not be able to use "back" to return to the original .cfm page with the values filled in...but this is not passing my FORM data past this temp.cfm page and my searches are always bringing up zero results

Answer 1

Are you using cfform? if so, remove the PreserveData="true" attribute on your form. Or you could optionally remove your value="#form.formfield#" from the form inputs. If you could post a couple of lines of your form, we can probably provide better help.

Did you check to see if the form page is being cached?

Answer 2

After your action page processes the form, use CFLOCATION to redirect the browser to another page. This uses a 302 redirect.

Answer 3

Disable caching in the meta tag of the HTML would work. Don't need to use redirect at all.

E.g. User clicked logout link, and when the user click back, it will be a new request, and by that time, you can check if the SESSION is logged in or not, if not, redirect to the login page.