?
Solved

Cannot kill browser cache after session logout when hitting back button

Posted on 2007-11-28
14
Medium Priority
?
606 Views
Last Modified: 2012-05-05
I have a web site developed using ASP/VBScript. This site allows members to log in using session cookies. When they sign out I make sure the session cookies are abandoned. I have also added the following to the header of each page:

<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-cache" />

Despite this, when a person logs out it is still possible to bit the back button of the browser and view the pages within their account. I have protected the pages so that any attempt to click on links within protected pages would redirect to a login page. However I would like to do something similar to Hotmail, when I log out and hit the back button the pages are expired and cannot be viewed.
0
Comment
Question by:mike99c
  • 8
  • 6
14 Comments
 
LVL 25

Expert Comment

by:Rouchie
ID: 20364909
This usually works for me in ASP (put at the top of the page, obviously)...

<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>
0
 

Author Comment

by:mike99c
ID: 20365163
Hello,
Unfortunately this did not work. First of all I used the response commands to write the header information but nothing appeared. In the end I had to hard code the following:

<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

When I logged into the session controlled pages then looged out, I was still able to hit the back button of the browser and see the pages. If I refreshed the back pages manually it forced a log in box to appear so clearly the browser is not trying to get a new page from the server.

For the cache control I even used the following method:
<meta http-equiv="cache-control" content="non-store,no-cache,must-revalidate" />

This also failed to kill the cache.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365259
This has come from the Microsoft Web Site:

"Note that the use of standard HTTP headers are much preferred over META tags. META tags typically must appear at the top of the HTML HEAD section. And there is at least one known problem with the Pragma HTTP-EQUIV META tag. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
222064 (http://support.microsoft.com/kb/222064/) "Pragma: No-cache" tag may not prevent page from being cached "

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 25

Expert Comment

by:Rouchie
ID: 20365270
Also you should clear the browser cache manually before testing the pages.  And also some sites recommend restarting IIS before testing.
0
 

Author Comment

by:mike99c
ID: 20365351
Hello,
I am actually aware of the Microsoft issue and did in fact place the directives in the footer:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

..
..
</body>
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />
</head>
</html>
-----------------------------------------
I manually cleared the offline content and the history then closed the browser and started again. I still could not get the cache to go away.

I have yet to try restarting IIS but cannot do so at this moment.

Any other ideas would be welcome.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365401
I don't think placing the <head> section after <body> is legitimate.  It seems a very odd way to do this and after all is dated from way back in the past.

I think using the ASP method, or configuring IIS is the best approach.  What happened when you used the ASP Response way to do this?  Did the page load?
0
 

Author Comment

by:mike99c
ID: 20365443
When I did the ASP method the page did load fine but when I viewed the source there was nothing there but an empty space. All other ASP responses in the same page worked fine.
I have attached the code snippet of what I applied when I tried using the ASP response methods.
<%@ enablesessionstate=true %>
<% Option Explicit %>
<%response.buffer=true%>
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="<%=Language%>">
<head>
<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>

Open in new window

0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365596
The ASP code to stop caching doesn't need to be in <head>.
Instead it can go directly underneath <%response.buffer=true%>

Some authors also recommend puttting the same block of cache-prevention code at the very end of the page.  I can't seem to find any information online about why this isn't working for you.
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 2000 total points
ID: 20365624
Here's a slightly different version to try.  Put it at the top and bottom.
<%
Response.ExpiresAbsolute = #2000-01-01#
response.AddHeader "Pragma", "no-cache"
response.AddHeader "cache-control", "private, no-cache, must-revalidate no-store pre-check=0 post-check=0 max-stale=0"
%>

Open in new window

0
 

Author Comment

by:mike99c
ID: 20365661
Where exactly shall I place this? do I place it within the <head> section at the top and the <head> section at the bottom after the </body> tag?
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365785
I'd scrap the <head> section at the bottom altogether because that is a really dated method.

So put this after <%response.buffer=true%>

and then after </html>
0
 

Author Comment

by:mike99c
ID: 20365887
Hi Rouchie,
That is perfect, it worked realy well. I will award you the full points
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365971
Great stuff.  I'll keep that one for future reference :-)
0
 

Author Comment

by:mike99c
ID: 20366164
Just for your information, I did not have to add after the </html> and it still worked fine.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is a general practice to get rid of old user profiles on a computer  in a LAN environment. As I have been working with a company in a LAN environment where users move from one place to some other place at times. This will make many user profil…
Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
Suggested Courses
Course of the Month16 days, 9 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question