I forgot to mention that the code needs to go before any HTML code, including <!DOCTYPE tags.
Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com -----Original Message----- From: Chris Lofback [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:50 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back What I've done to try to prevent this is use CFHEADER to tell the browser not to cache. I made the following code into a Custom Tag and call it from my app_layout.cfm (Fusebox). This should force each page to reload from the server. If you are checking for a valid login with each page load, you will catch those trying to view a page but who are not logged in. I'm not sure how many browsers support this, but I think it's safe to assume versions 4+ of IE and NS should work. Anyone on the list have better info on these headers? I admit I haven't tested this code thoroughly and compared browsers. For my purposes, I just want to do all I can to prevent the problem but it's no security problem if it doesn't work consistently. Also, I believe that IE and NS had a slightly different way of handling the "Last-Modified" header and the CFSCRIPT code is supposed to handle this--I think (I found this code somewhere and don't recall all the details). Maybe this is worth a look? Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com <CFSCRIPT> GMT = GetTimeZoneInfo(); GMT = GMT.UTCHourOffset; if (GMT IS 0) GMT = ''; else if (GMT GT 0) GMT = "+" & GMT; </CFSCRIPT> <CFHEADER NAME="Pragma" VALUE="no-cache"> <CFHEADER NAME="Cache-Control" VALUE="no-cache, must-revalidate"> <CFHEADER NAME="Last-Modified" VALUE="#DateFormat(Now(),'ddd, dd mmm yyyy')# #TimeFormat(Now(),'HH:mm:ss')# GMT#GMT#"> <CFHEADER NAME="Expires" VALUE="Mon, 26 Jul 1997 05:00:00 GMT"> -----Original Message----- From: Rick Walters [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:22 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back If the question has turned into: "can you secure an application on the client side?" the answer is no. If a user has access to the security source code then a way can always be devised to crack it. In my own investigation of this same topic I have concluded that the javascript cache clearing is an "iffy" solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is "off" in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow "one click" access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: "an internet browser in a multi user environment is not an ideal security arangement." Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x 7777 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
