Wiadomosc od Jacek Wiślicki z 2006-02-08 19:41 brzmiala:
I gave it a look. The problem becomes quite dangerous if a user logs-out
and leaves a browser window opened (tested with IE, Firefox and Opera).
Using history back retrieves all the previous pages. For example, if one
with some admin/manager priviledges leaves some fragment in edit mode
befor logging-out, the edition is still possible... Also access to all
administrative fragments is possible, provided their pages are in the
history (their actions rather wouldn't work, but the data is viewable).
I'll try to see if the problem can be resolved on HTTP level, but it's
hard to say when.
The easiest solution is to set page caching either by sending HTTP
headers with a servlet response:
response.setDateHeader("Expires", -1);
response.setHeader("Cache-Control", "no-store, no-cache,
must-revalidate, max-stale=0, max-age=0, post-check=0, pre-check=0");
response.setHeader("Pragma","no-cache");
or adding equivalent meta tags in the page's head section:
<meta http-equiv="Expires" content="0">
<meta http-equiv="Cache-Control" content="no-store, no-cache,
must-revalidate, max-stale=0, max-age=0, post-check=0, pre-check=0">
<meta http-equiv="Pragma" content="no-cache">
To completely block "back" action, you should also add a JavaScript call
in the head section:
<script>javascript:window.history.forward(1);</script>
This should work, I hope.
I'm not sure if meta tags are really equivalent to sending headers (they
should be as far as I know). I've tested it with some simple servlet and
they worked different from headers :/ Maybe I made some mistake, I don't
know...
--
pozdrawiam,
Jacek Wislicki
[EMAIL PROTECTED]
tel.: +48 502 408 444
gg: 2540358
skype: jacek_wislicki
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
