[BangPypers] back button issues with session handling in flask
Hello guys, Im making my own login module in flask, and Im now facing this problem pertaining to browser caching. Aftera user signout (by setting the session[logged_in] =False or even doing session.clear() ) ,if i press the back button on the browser, i still can see my homepage(which is suppose to be seen only when logged in). There are a few constraints while dealing with this problem, first being i do not want to totally disablebrowser caching as i believe it is important for efficiency of the website , and second being i cannot use other extensions like flask-login etc, as im trying to make it on my own. How do i resolve this problem within the constraints ? ___ BangPypers mailing list BangPypers@python.org https://mail.python.org/mailman/listinfo/bangpypers
Re: [BangPypers] back button issues with session handling in flask
Hi Adivandya, On Sat, Sep 7, 2013 at 9:29 AM, Adivandhya adivand...@yahoo.co.in wrote: and second being i cannot use other extensions like flask-login etc, as im trying to make it on my own. How do i resolve this problem within the constraints ? If you poke into flask-login, how does it handle that? Personally, I do now know the a web app we keep any track of browser states. The idea could be use of URLs and working with the session object based on the URL you are at in terms of webapp. -- Senthil ___ BangPypers mailing list BangPypers@python.org https://mail.python.org/mailman/listinfo/bangpypers
Re: [BangPypers] back button issues with session handling in flask
On Sat, Sep 7, 2013 at 9:59 PM, Adivandhya adivand...@yahoo.co.in wrote: Hello guys, Im making my own login module in flask, and Im now facing this problem pertaining to browser caching. Aftera user signout (by setting the session[logged_in] =False or even doing session.clear() ) ,if i press the back button on the browser, i still can see my homepage(which is suppose to be seen only when logged in). There are a few constraints while dealing with this problem, first being i do not want to totally disablebrowser caching as i believe it is important for efficiency of the website , and second being i cannot use other extensions like flask-login etc, as im trying to make it on my own. How do i resolve this problem within the constraints ? Sometimes I have seen that the browser caches the rendered page and does not refresh the page. For example I have seen this behavior in FF. I go to ESPNcricinfo and click on an article and read it and go back, the page rendered does not have the score refreshed. This same behavior is exhibited when you press CTRL+SHIFT+T to reopen closed tabs. The rendered page is loaded as well as the history of the tab. Do you see this behavior with Flask-login as well ? And what browser are you using to test ? I have seen some sites try to disable the back-button but that might not be an elegant way to do this. Another approach could be see if you can play with the HTTP Cache-control headers to see if they make a difference. -- Vinayak ___ BangPypers mailing list BangPypers@python.org https://mail.python.org/mailman/listinfo/bangpypers
Re: [BangPypers] back button issues with session handling in flask
On Saturday, 7 September 2013 at 9:59 PM, Adivandhya wrote: Hello guys, Im making my own login module in flask, and Im now facing this problem pertaining to browser caching. Aftera user signout (by setting the session[logged_in] =False or even doing session.clear() ) ,if i press the back button on the browser, i still can see my homepage(which is suppose to be seen only when logged in). There are a few constraints while dealing with this problem, first being i do not want to totally disablebrowser caching as i believe it is important for efficiency of the website , and second being i cannot use other extensions like flask-login etc, as im trying to make it on my own. How do i resolve this problem within the constraints ? What are the risk factors in allowing the Back button to work? 1. The user cannot perform any restricted actions from this page since all subsequent requests to the server will be unauthenticated. 2. If the user closes the tab/window, navigation history is discarded, so there's no risk of user B with physical access being able to see a logged in page of user A. Unless you are building a banking website which is specifically designed to harass users, I wouldn't worry about this. You should, however, use HTTP status 303 instead of 301/302 to redirect the browser after POSTing a form. 301/302 is the primary reason for users accidentally submitting forms when they hit Back, since browsers consider 301/302 as a single page in navigation history, while 303 registers twice. Kiran ___ BangPypers mailing list BangPypers@python.org https://mail.python.org/mailman/listinfo/bangpypers