Solved

Cannot kill browser cache after session logout when hitting back button

Posted on 2007-11-28
14
598 Views
Last Modified: 2012-05-05
I have a web site developed using ASP/VBScript. This site allows members to log in using session cookies. When they sign out I make sure the session cookies are abandoned. I have also added the following to the header of each page:

<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-cache" />

Despite this, when a person logs out it is still possible to bit the back button of the browser and view the pages within their account. I have protected the pages so that any attempt to click on links within protected pages would redirect to a login page. However I would like to do something similar to Hotmail, when I log out and hit the back button the pages are expired and cannot be viewed.
0
Comment
Question by:mike99c
  • 8
  • 6
14 Comments
 
LVL 25

Expert Comment

by:Rouchie
ID: 20364909
This usually works for me in ASP (put at the top of the page, obviously)...

<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>
0
 

Author Comment

by:mike99c
ID: 20365163
Hello,
Unfortunately this did not work. First of all I used the response commands to write the header information but nothing appeared. In the end I had to hard code the following:

<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

When I logged into the session controlled pages then looged out, I was still able to hit the back button of the browser and see the pages. If I refreshed the back pages manually it forced a log in box to appear so clearly the browser is not trying to get a new page from the server.

For the cache control I even used the following method:
<meta http-equiv="cache-control" content="non-store,no-cache,must-revalidate" />

This also failed to kill the cache.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365259
This has come from the Microsoft Web Site:

"Note that the use of standard HTTP headers are much preferred over META tags. META tags typically must appear at the top of the HTML HEAD section. And there is at least one known problem with the Pragma HTTP-EQUIV META tag. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
222064 (http://support.microsoft.com/kb/222064/) "Pragma: No-cache" tag may not prevent page from being cached "

0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365270
Also you should clear the browser cache manually before testing the pages.  And also some sites recommend restarting IIS before testing.
0
 

Author Comment

by:mike99c
ID: 20365351
Hello,
I am actually aware of the Microsoft issue and did in fact place the directives in the footer:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

..
..
</body>
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />
</head>
</html>
-----------------------------------------
I manually cleared the offline content and the history then closed the browser and started again. I still could not get the cache to go away.

I have yet to try restarting IIS but cannot do so at this moment.

Any other ideas would be welcome.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365401
I don't think placing the <head> section after <body> is legitimate.  It seems a very odd way to do this and after all is dated from way back in the past.

I think using the ASP method, or configuring IIS is the best approach.  What happened when you used the ASP Response way to do this?  Did the page load?
0
 

Author Comment

by:mike99c
ID: 20365443
When I did the ASP method the page did load fine but when I viewed the source there was nothing there but an empty space. All other ASP responses in the same page worked fine.
I have attached the code snippet of what I applied when I tried using the ASP response methods.
<%@ enablesessionstate=true %>

<% Option Explicit %>

<%response.buffer=true%>

<?xml version="1.0" encoding="iso-8859-1"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="<%=Language%>">

<head>

<% Response.CacheControl = "no-cache" %>

<% Response.AddHeader "Pragma", "no-cache" %>

<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>

<% Response.Expires = -1 %>

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 25

Expert Comment

by:Rouchie
ID: 20365596
The ASP code to stop caching doesn't need to be in <head>.
Instead it can go directly underneath <%response.buffer=true%>

Some authors also recommend puttting the same block of cache-prevention code at the very end of the page.  I can't seem to find any information online about why this isn't working for you.
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 500 total points
ID: 20365624
Here's a slightly different version to try.  Put it at the top and bottom.
<%

Response.ExpiresAbsolute = #2000-01-01#

response.AddHeader "Pragma", "no-cache"

response.AddHeader "cache-control", "private, no-cache, must-revalidate no-store pre-check=0 post-check=0 max-stale=0"

%>

Open in new window

0
 

Author Comment

by:mike99c
ID: 20365661
Where exactly shall I place this? do I place it within the <head> section at the top and the <head> section at the bottom after the </body> tag?
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365785
I'd scrap the <head> section at the bottom altogether because that is a really dated method.

So put this after <%response.buffer=true%>

and then after </html>
0
 

Author Comment

by:mike99c
ID: 20365887
Hi Rouchie,
That is perfect, it worked realy well. I will award you the full points
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365971
Great stuff.  I'll keep that one for future reference :-)
0
 

Author Comment

by:mike99c
ID: 20366164
Just for your information, I did not have to add after the </html> and it still worked fine.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This script will sweep a range of IP addresses (class c only, 255.255.255.0) and report to a log the version of office installed. What it does: 1.)      Creates log file in the directory the script is run from (if it doesn't already exist) 2.)      Sweep…
This is pretty cool.  The purpose of this VB Script is to help you document where JAR (Java ARchive) files and specifically java class files are located so that you can address issues seen with a client or that you can speak intelligently with a dev…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now