Cannot kill browser cache after session logout when hitting back button

I have a web site developed using ASP/VBScript. This site allows members to log in using session cookies. When they sign out I make sure the session cookies are abandoned. I have also added the following to the header of each page:

<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-cache" />

Despite this, when a person logs out it is still possible to bit the back button of the browser and view the pages within their account. I have protected the pages so that any attempt to click on links within protected pages would redirect to a login page. However I would like to do something similar to Hotmail, when I log out and hit the back button the pages are expired and cannot be viewed.
mike99cAsked:
Who is Participating?
 
RouchieConnect With a Mentor Commented:
Here's a slightly different version to try.  Put it at the top and bottom.
<%
Response.ExpiresAbsolute = #2000-01-01#
response.AddHeader "Pragma", "no-cache"
response.AddHeader "cache-control", "private, no-cache, must-revalidate no-store pre-check=0 post-check=0 max-stale=0"
%>

Open in new window

0
 
RouchieCommented:
This usually works for me in ASP (put at the top of the page, obviously)...

<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>
0
 
mike99cAuthor Commented:
Hello,
Unfortunately this did not work. First of all I used the response commands to write the header information but nothing appeared. In the end I had to hard code the following:

<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

When I logged into the session controlled pages then looged out, I was still able to hit the back button of the browser and see the pages. If I refreshed the back pages manually it forced a log in box to appear so clearly the browser is not trying to get a new page from the server.

For the cache control I even used the following method:
<meta http-equiv="cache-control" content="non-store,no-cache,must-revalidate" />

This also failed to kill the cache.
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
RouchieCommented:
This has come from the Microsoft Web Site:

"Note that the use of standard HTTP headers are much preferred over META tags. META tags typically must appear at the top of the HTML HEAD section. And there is at least one known problem with the Pragma HTTP-EQUIV META tag. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
222064 (http://support.microsoft.com/kb/222064/) "Pragma: No-cache" tag may not prevent page from being cached "

0
 
RouchieCommented:
Also you should clear the browser cache manually before testing the pages.  And also some sites recommend restarting IIS before testing.
0
 
mike99cAuthor Commented:
Hello,
I am actually aware of the Microsoft issue and did in fact place the directives in the footer:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

..
..
</body>
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />
</head>
</html>
-----------------------------------------
I manually cleared the offline content and the history then closed the browser and started again. I still could not get the cache to go away.

I have yet to try restarting IIS but cannot do so at this moment.

Any other ideas would be welcome.
0
 
RouchieCommented:
I don't think placing the <head> section after <body> is legitimate.  It seems a very odd way to do this and after all is dated from way back in the past.

I think using the ASP method, or configuring IIS is the best approach.  What happened when you used the ASP Response way to do this?  Did the page load?
0
 
mike99cAuthor Commented:
When I did the ASP method the page did load fine but when I viewed the source there was nothing there but an empty space. All other ASP responses in the same page worked fine.
I have attached the code snippet of what I applied when I tried using the ASP response methods.
<%@ enablesessionstate=true %>
<% Option Explicit %>
<%response.buffer=true%>
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="<%=Language%>">
<head>
<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>

Open in new window

0
 
RouchieCommented:
The ASP code to stop caching doesn't need to be in <head>.
Instead it can go directly underneath <%response.buffer=true%>

Some authors also recommend puttting the same block of cache-prevention code at the very end of the page.  I can't seem to find any information online about why this isn't working for you.
0
 
mike99cAuthor Commented:
Where exactly shall I place this? do I place it within the <head> section at the top and the <head> section at the bottom after the </body> tag?
0
 
RouchieCommented:
I'd scrap the <head> section at the bottom altogether because that is a really dated method.

So put this after <%response.buffer=true%>

and then after </html>
0
 
mike99cAuthor Commented:
Hi Rouchie,
That is perfect, it worked realy well. I will award you the full points
0
 
RouchieCommented:
Great stuff.  I'll keep that one for future reference :-)
0
 
mike99cAuthor Commented:
Just for your information, I did not have to add after the </html> and it still worked fine.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.