Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cannot kill browser cache after session logout when hitting back button

Posted on 2007-11-28
14
601 Views
Last Modified: 2012-05-05
I have a web site developed using ASP/VBScript. This site allows members to log in using session cookies. When they sign out I make sure the session cookies are abandoned. I have also added the following to the header of each page:

<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-cache" />

Despite this, when a person logs out it is still possible to bit the back button of the browser and view the pages within their account. I have protected the pages so that any attempt to click on links within protected pages would redirect to a login page. However I would like to do something similar to Hotmail, when I log out and hit the back button the pages are expired and cannot be viewed.
0
Comment
Question by:mike99c
  • 8
  • 6
14 Comments
 
LVL 25

Expert Comment

by:Rouchie
ID: 20364909
This usually works for me in ASP (put at the top of the page, obviously)...

<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>
0
 

Author Comment

by:mike99c
ID: 20365163
Hello,
Unfortunately this did not work. First of all I used the response commands to write the header information but nothing appeared. In the end I had to hard code the following:

<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

When I logged into the session controlled pages then looged out, I was still able to hit the back button of the browser and see the pages. If I refreshed the back pages manually it forced a log in box to appear so clearly the browser is not trying to get a new page from the server.

For the cache control I even used the following method:
<meta http-equiv="cache-control" content="non-store,no-cache,must-revalidate" />

This also failed to kill the cache.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365259
This has come from the Microsoft Web Site:

"Note that the use of standard HTTP headers are much preferred over META tags. META tags typically must appear at the top of the HTML HEAD section. And there is at least one known problem with the Pragma HTTP-EQUIV META tag. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
222064 (http://support.microsoft.com/kb/222064/) "Pragma: No-cache" tag may not prevent page from being cached "

0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 25

Expert Comment

by:Rouchie
ID: 20365270
Also you should clear the browser cache manually before testing the pages.  And also some sites recommend restarting IIS before testing.
0
 

Author Comment

by:mike99c
ID: 20365351
Hello,
I am actually aware of the Microsoft issue and did in fact place the directives in the footer:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

..
..
</body>
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />
</head>
</html>
-----------------------------------------
I manually cleared the offline content and the history then closed the browser and started again. I still could not get the cache to go away.

I have yet to try restarting IIS but cannot do so at this moment.

Any other ideas would be welcome.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365401
I don't think placing the <head> section after <body> is legitimate.  It seems a very odd way to do this and after all is dated from way back in the past.

I think using the ASP method, or configuring IIS is the best approach.  What happened when you used the ASP Response way to do this?  Did the page load?
0
 

Author Comment

by:mike99c
ID: 20365443
When I did the ASP method the page did load fine but when I viewed the source there was nothing there but an empty space. All other ASP responses in the same page worked fine.
I have attached the code snippet of what I applied when I tried using the ASP response methods.
<%@ enablesessionstate=true %>
<% Option Explicit %>
<%response.buffer=true%>
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="<%=Language%>">
<head>
<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>

Open in new window

0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365596
The ASP code to stop caching doesn't need to be in <head>.
Instead it can go directly underneath <%response.buffer=true%>

Some authors also recommend puttting the same block of cache-prevention code at the very end of the page.  I can't seem to find any information online about why this isn't working for you.
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 500 total points
ID: 20365624
Here's a slightly different version to try.  Put it at the top and bottom.
<%
Response.ExpiresAbsolute = #2000-01-01#
response.AddHeader "Pragma", "no-cache"
response.AddHeader "cache-control", "private, no-cache, must-revalidate no-store pre-check=0 post-check=0 max-stale=0"
%>

Open in new window

0
 

Author Comment

by:mike99c
ID: 20365661
Where exactly shall I place this? do I place it within the <head> section at the top and the <head> section at the bottom after the </body> tag?
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365785
I'd scrap the <head> section at the bottom altogether because that is a really dated method.

So put this after <%response.buffer=true%>

and then after </html>
0
 

Author Comment

by:mike99c
ID: 20365887
Hi Rouchie,
That is perfect, it worked realy well. I will award you the full points
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365971
Great stuff.  I'll keep that one for future reference :-)
0
 

Author Comment

by:mike99c
ID: 20366164
Just for your information, I did not have to add after the </html> and it still worked fine.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
edit .asp files 5 31
Code Manager | Snippits 2 36
Designing forms 3 17
troubleshoot a python script 8 20
When it comes to writing scripts for a Client/Server computing environment it is essential to consider some way of enabling the authentication functionality within a script. This sort of consideration mainly comes into the picture when we are dealin…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question