> Plus: > After you log a user out of an site, in the application.cfm file clear their > CFID, CFTOKEN, JSESSIONID, and session, then do a cflocate to the index page > of the site and that *should* prevent the back-button from letting anyone > view secure pages (if you have everything else setup right).
I don't think this won't completely eliminate the back problem. In most browsers, the user can click on an arrow or something on the back button to get a history and jump back to any page in the history. You can also sometimes get around this by just hitting back twice quickly in succession. The best way around this is to close the browser window, if it's intranet you could try just making it policy that uisers close after logging out, or if that doesn't take off, use java script to forcibly close the window. (This seems to be how most internet banking sites deal with the issue) Though even this won't completely solve problems, as some browsers will get the user to confirm the close command, or even ignore it completely. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:189760 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
