Solved

Cannot kill browser cache after session logout when hitting back button

Posted on 2007-11-28
14
602 Views
Last Modified: 2012-05-05
I have a web site developed using ASP/VBScript. This site allows members to log in using session cookies. When they sign out I make sure the session cookies are abandoned. I have also added the following to the header of each page:

<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-cache" />

Despite this, when a person logs out it is still possible to bit the back button of the browser and view the pages within their account. I have protected the pages so that any attempt to click on links within protected pages would redirect to a login page. However I would like to do something similar to Hotmail, when I log out and hit the back button the pages are expired and cannot be viewed.
0
Comment
Question by:mike99c
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 25

Expert Comment

by:Rouchie
ID: 20364909
This usually works for me in ASP (put at the top of the page, obviously)...

<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>
0
 

Author Comment

by:mike99c
ID: 20365163
Hello,
Unfortunately this did not work. First of all I used the response commands to write the header information but nothing appeared. In the end I had to hard code the following:

<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

When I logged into the session controlled pages then looged out, I was still able to hit the back button of the browser and see the pages. If I refreshed the back pages manually it forced a log in box to appear so clearly the browser is not trying to get a new page from the server.

For the cache control I even used the following method:
<meta http-equiv="cache-control" content="non-store,no-cache,must-revalidate" />

This also failed to kill the cache.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365259
This has come from the Microsoft Web Site:

"Note that the use of standard HTTP headers are much preferred over META tags. META tags typically must appear at the top of the HTML HEAD section. And there is at least one known problem with the Pragma HTTP-EQUIV META tag. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
222064 (http://support.microsoft.com/kb/222064/) "Pragma: No-cache" tag may not prevent page from being cached "

0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 25

Expert Comment

by:Rouchie
ID: 20365270
Also you should clear the browser cache manually before testing the pages.  And also some sites recommend restarting IIS before testing.
0
 

Author Comment

by:mike99c
ID: 20365351
Hello,
I am actually aware of the Microsoft issue and did in fact place the directives in the footer:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />

..
..
</body>
<head>
<meta http-equiv="pragma" content="no-cache" />        
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="non-store" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="cache-control" content="must-revalidate" />
</head>
</html>
-----------------------------------------
I manually cleared the offline content and the history then closed the browser and started again. I still could not get the cache to go away.

I have yet to try restarting IIS but cannot do so at this moment.

Any other ideas would be welcome.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365401
I don't think placing the <head> section after <body> is legitimate.  It seems a very odd way to do this and after all is dated from way back in the past.

I think using the ASP method, or configuring IIS is the best approach.  What happened when you used the ASP Response way to do this?  Did the page load?
0
 

Author Comment

by:mike99c
ID: 20365443
When I did the ASP method the page did load fine but when I viewed the source there was nothing there but an empty space. All other ASP responses in the same page worked fine.
I have attached the code snippet of what I applied when I tried using the ASP response methods.
<%@ enablesessionstate=true %>
<% Option Explicit %>
<%response.buffer=true%>
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="<%=Language%>">
<head>
<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.AddHeader "cache-control", "no-store, no-cache, must-revalidate" %>
<% Response.Expires = -1 %>

Open in new window

0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365596
The ASP code to stop caching doesn't need to be in <head>.
Instead it can go directly underneath <%response.buffer=true%>

Some authors also recommend puttting the same block of cache-prevention code at the very end of the page.  I can't seem to find any information online about why this isn't working for you.
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 500 total points
ID: 20365624
Here's a slightly different version to try.  Put it at the top and bottom.
<%
Response.ExpiresAbsolute = #2000-01-01#
response.AddHeader "Pragma", "no-cache"
response.AddHeader "cache-control", "private, no-cache, must-revalidate no-store pre-check=0 post-check=0 max-stale=0"
%>

Open in new window

0
 

Author Comment

by:mike99c
ID: 20365661
Where exactly shall I place this? do I place it within the <head> section at the top and the <head> section at the bottom after the </body> tag?
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365785
I'd scrap the <head> section at the bottom altogether because that is a really dated method.

So put this after <%response.buffer=true%>

and then after </html>
0
 

Author Comment

by:mike99c
ID: 20365887
Hi Rouchie,
That is perfect, it worked realy well. I will award you the full points
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 20365971
Great stuff.  I'll keep that one for future reference :-)
0
 

Author Comment

by:mike99c
ID: 20366164
Just for your information, I did not have to add after the </html> and it still worked fine.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is a general practice to get rid of old user profiles on a computer  in a LAN environment. As I have been working with a company in a LAN environment where users move from one place to some other place at times. This will make many user profil…
This article will show, step by step, how to integrate R code into a R Sweave document
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question