RE: Re[2]: Preventing user from going back
If the question has turned into: can you secure an application on the client side? the answer is no. If a user has access to the security source code then a way can always be devised to crack it. In my own investigation of this same topic I have concluded that the javascript cache clearing is an iffy solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is off in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow one click access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: an internet browser in a multi user environment is not an ideal security arangement. Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x [EMAIL PROTECTED] 05/30/02 04:01PM and then all someone has to do is use a program to spoof the referrer information and their in. The only thing that you as a web programmer can do without beating your head against the wall is to make sure you qualify all variables passed to the page, check them to make sure they are of the length and type you want and then have error checking to test the values. If you do that, then it doesn't matter where the information is coming. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Timothy Heald [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:54 PM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back The only way I have seen to do this, and it was mentioned by someone earlier, is to only allow for a specific referer. You would use the url to the page that the user 'should' be coming from like this: cfif cgi.HTTP_REFERER is 'my url' Allow the template to process cfelse move them somewhere else either with cflocation or a script /cfif Tim Heald ACP/CCFD :) Application Development www.schoollink.net -Original Message- From: Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:18 PM To: CF-Talk Subject: Re: Re[2]: Preventing user from going back Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote
RE: Re[2]: Preventing user from going back
What I've done to try to prevent this is use CFHEADER to tell the browser not to cache. I made the following code into a Custom Tag and call it from my app_layout.cfm (Fusebox). This should force each page to reload from the server. If you are checking for a valid login with each page load, you will catch those trying to view a page but who are not logged in. I'm not sure how many browsers support this, but I think it's safe to assume versions 4+ of IE and NS should work. Anyone on the list have better info on these headers? I admit I haven't tested this code thoroughly and compared browsers. For my purposes, I just want to do all I can to prevent the problem but it's no security problem if it doesn't work consistently. Also, I believe that IE and NS had a slightly different way of handling the Last-Modified header and the CFSCRIPT code is supposed to handle this--I think (I found this code somewhere and don't recall all the details). Maybe this is worth a look? Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com CFSCRIPT GMT = GetTimeZoneInfo(); GMT = GMT.UTCHourOffset; if (GMT IS 0) GMT = ''; else if (GMT GT 0) GMT = + GMT; /CFSCRIPT CFHEADER NAME=Pragma VALUE=no-cache CFHEADER NAME=Cache-Control VALUE=no-cache, must-revalidate CFHEADER NAME=Last-Modified VALUE=#DateFormat(Now(),'ddd, dd mmm ')# #TimeFormat(Now(),'HH:mm:ss')# GMT#GMT# CFHEADER NAME=Expires VALUE=Mon, 26 Jul 1997 05:00:00 GMT -Original Message- From: Rick Walters [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:22 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back If the question has turned into: can you secure an application on the client side? the answer is no. If a user has access to the security source code then a way can always be devised to crack it. In my own investigation of this same topic I have concluded that the javascript cache clearing is an iffy solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is off in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow one click access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: an internet browser in a multi user environment is not an ideal security arangement. Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[2]: Preventing user from going back
I forgot to mention that the code needs to go before any HTML code, including !DOCTYPE tags. Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com -Original Message- From: Chris Lofback [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:50 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back What I've done to try to prevent this is use CFHEADER to tell the browser not to cache. I made the following code into a Custom Tag and call it from my app_layout.cfm (Fusebox). This should force each page to reload from the server. If you are checking for a valid login with each page load, you will catch those trying to view a page but who are not logged in. I'm not sure how many browsers support this, but I think it's safe to assume versions 4+ of IE and NS should work. Anyone on the list have better info on these headers? I admit I haven't tested this code thoroughly and compared browsers. For my purposes, I just want to do all I can to prevent the problem but it's no security problem if it doesn't work consistently. Also, I believe that IE and NS had a slightly different way of handling the Last-Modified header and the CFSCRIPT code is supposed to handle this--I think (I found this code somewhere and don't recall all the details). Maybe this is worth a look? Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com CFSCRIPT GMT = GetTimeZoneInfo(); GMT = GMT.UTCHourOffset; if (GMT IS 0) GMT = ''; else if (GMT GT 0) GMT = + GMT; /CFSCRIPT CFHEADER NAME=Pragma VALUE=no-cache CFHEADER NAME=Cache-Control VALUE=no-cache, must-revalidate CFHEADER NAME=Last-Modified VALUE=#DateFormat(Now(),'ddd, dd mmm ')# #TimeFormat(Now(),'HH:mm:ss')# GMT#GMT# CFHEADER NAME=Expires VALUE=Mon, 26 Jul 1997 05:00:00 GMT -Original Message- From: Rick Walters [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:22 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back If the question has turned into: can you secure an application on the client side? the answer is no. If a user has access to the security source code then a way can always be devised to crack it. In my own investigation of this same topic I have concluded that the javascript cache clearing is an iffy solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is off in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow one click access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: an internet browser in a multi user environment is not an ideal security arangement. Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Preventing user from going back
Hey all, Does anyone have an easy way to prevent the user from going back to the previous page? -- Mark Smeets / stranger0 / ICQ: 1062196 [EMAIL PROTECTED] http://www.prowerks.com/stranger Life is a series of small victories - Gene Simmons FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing user from going back
!--- Client side cache prevention --- meta http-equiv=Expires content=0 !--- Setup our expire times for Netscape and Internet Explorer --- cfoutput !--- Internet Explorer Date Formate: (Fri, 30 Oct 1998 14:19:41 GMT) --- cfset MSIEtimestamp='#dateformat(now(),DDD)#,#dateformat(now(),DD)# #dateformat(now(),Mmm)# #timeformat(now(),HH:MM:SS)#' !--- Netscape Date Formate: Netscape (Wednesday, Apr 26 2000 17:45:25 PM) --- cfset NETSCAPEtimestamp='#dateformat(now(),)#,#dateformat(now(),MMM)# #dateformat(now(),dd)# #dateformat(now(),YYY)# #timeformat(now(),HH:MM:SS tt)#' /cfoutput !--- Tell HTTP Header to force expire of page - nocache --- cfif HTTP_USER_AGENT contains MSIE cfheader name=Expires value=cfoutput#MSIEtimestamp#/cfoutput cfheader name=Pragma value=no-cache cfheader name=cache-control value=no-cache, no-store, must-revalidate cfelse cfheader name=Expires value=cfoutput#NETSCAPEtimestamp#/cfoutput cfheader name=Pragma value=no-cache cfheader name=cache-control value=no-cache, no-store, must-revalidate /cfif -Original Message- From: Mark Smeets [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 1:19 PM To: CF-Talk Subject: Preventing user from going back Hey all, Does anyone have an easy way to prevent the user from going back to the previous page? -- Mark Smeets / stranger0 / ICQ: 1062196 [EMAIL PROTECTED] http://www.prowerks.com/stranger Life is a series of small victories - Gene Simmons FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing user from going back
oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); //-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing user from going back
Mark, I've been wrestling with this issue myself lately. There is no direct and easy way that I've found. It depends largely on what the context is. For example, if you have a five-page registration procedure and don't want the user to go back using the browser buttons from 4 to 3, you can enforce the flow by only allowing 3 to accept a referring page of 2. In all other cases, you CFLOCATION back to the referring page. But this could be very user-unfriendly. If you don't know what the previous page is, you could do the old annoying standby of putting a meta refresh page before the page in question, so that any single click on the back button bounces them forward again. The most friendly, but not completely enforceable method I've found is to use the onBeforeUnload() JavaScript event that IE recognizes. (I am lucky enough to have a user base limited to one browser.) Toward the top of the page, you use this JS to set a variable: var properExit = false; You also add this function: function confirmExit() { if (properExit != true) { return Use of your browser's back buttons may cause problems with the site. Please click Cancel and use the appropriate buttons within the form.; } } In the page's body tag, you add the onBeforeUnload attribute as below: BODY ... onBeforeUnload='return confirmExit();' If you have any buttons or hyperlinks on the page that are allowable exits, then add the onClick attribute as below: INPUT type='image' name='submit' ... onClick='properExit=true;' ..or... A HREF='www.yahoo.com' ... onClick='properExit=true;' This way, on exit that uses a browser button (Back, Forward, and Refresh/Reload all trigger this), the user is prompted with the message in the confirmExit function. There is no way that I've found to force cancellation of the page move, but this at least lets you ask the user nicely, at which point they can choose to cancel the move. Hope this helps, Matthieu -Original Message- From: Mark Smeets [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 1:19 PM To: CF-Talk Subject: Preventing user from going back Hey all, Does anyone have an easy way to prevent the user from going back to the previous page? -- Mark Smeets / stranger0 / ICQ: 1062196 [EMAIL PROTECTED] http://www.prowerks.com/stranger Life is a series of small victories - Gene Simmons FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing user from going back
What happens if I disable javascript? On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); //-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re[2]: Preventing user from going back
oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); //-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing user from going back
The javascript wont excecute... :) Seriously though, another option is to run the wizard in a popup with no chrome. Then no back button will exist in the first place. However you should try to make the registration process back-button proof in the first place. jon - Original Message - From: Alex [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:07 PM Subject: Re: Preventing user from going back What happens if I disable javascript? On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); //-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Re[2]: Preventing user from going back
What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re[4]: Preventing user from going back
oi Mario!! well then I reckon you'd just have too much time on yer hands -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:38:07 PM, you wrote: MM What if I view the file source, erase all the java script code that is MM bothering me .Save the file into my local harddisk and run the browser over MM it MM and try to going back??? . MM regards MM Mario MM - Original Message - MM From: Critz [EMAIL PROTECTED] MM To: CF-Talk [EMAIL PROTECTED] MM Sent: Thursday, May 30, 2002 2:18 PM MM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not MM websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to MM the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A MM __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[4]: Preventing user from going back
why don't you tell us why you don't want people to be able to GO BACK. Depending on the situation you're facing, you might be beating your head against the wall for nothing. The only reason I can think of why you wouldn't want someone to be able to go back, is because of form submission, and personally well written code and a client variable takes care of this problem everytime. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Critz [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 2:54 PM To: CF-Talk Subject: Re[4]: Preventing user from going back oi Mario!! well then I reckon you'd just have too much time on yer hands -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:38:07 PM, you wrote: MM What if I view the file source, erase all the java script code that is MM bothering me .Save the file into my local harddisk and run the browser over MM it MM and try to going back??? . MM regards MM Mario MM - Original Message - MM From: Critz [EMAIL PROTECTED] MM To: CF-Talk [EMAIL PROTECTED] MM Sent: Thursday, May 30, 2002 2:18 PM MM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not MM websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to MM the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A MM __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Re[2]: Preventing user from going back
One could do what ifs all day long, if you need to worry about someone going through all that much trouble, then perhaps you should just not put the information on the web in the first place. Heck, you asked for a easy way and are coming up with complicated ways they can get past that. -- Original Message -- From: Mario Martinez [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 30 May 2002 14:38:07 -0400 What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario -- Snipe - CF_BotMaster Network=EFNet Channel=ColdFusion -- __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Re[2]: Preventing user from going back
Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[2]: Preventing user from going back
The only way I have seen to do this, and it was mentioned by someone earlier, is to only allow for a specific referer. You would use the url to the page that the user 'should' be coming from like this: cfif cgi.HTTP_REFERER is 'my url' Allow the template to process cfelse move them somewhere else either with cflocation or a script /cfif Tim Heald ACP/CCFD :) Application Development www.schoollink.net -Original Message- From: Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:18 PM To: CF-Talk Subject: Re: Re[2]: Preventing user from going back Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[2]: Preventing user from going back
and then all someone has to do is use a program to spoof the referrer information and their in. The only thing that you as a web programmer can do without beating your head against the wall is to make sure you qualify all variables passed to the page, check them to make sure they are of the length and type you want and then have error checking to test the values. If you do that, then it doesn't matter where the information is coming. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Timothy Heald [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:54 PM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back The only way I have seen to do this, and it was mentioned by someone earlier, is to only allow for a specific referer. You would use the url to the page that the user 'should' be coming from like this: cfif cgi.HTTP_REFERER is 'my url' Allow the template to process cfelse move them somewhere else either with cflocation or a script /cfif Tim Heald ACP/CCFD :) Application Development www.schoollink.net -Original Message- From: Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:18 PM To: CF-Talk Subject: Re: Re[2]: Preventing user from going back Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists