On 12/1/05, info3853 Bush <[EMAIL PROTECTED]> wrote: > That's true. This topic belongs to web application security. > > The thing is that all static content are shown when you used the "back" > button. Of course, you can't click any link since the session is already > invalidated.
Mark page as non-cachable with "no-cache, no-store" cache-control header. You may want to add some other headers too, like must-revalidate. When you hit Back, the browser would try to reload a page, here you would show the error. Michael. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]