On 18.10.2011 16:30, Olga wrote:
Correct behaviour of browser is to not contact server at all when clicking Back button, so the content should be reproduced completely from cache. So, you will not see a request on the server side, nor event. Of course user/browser could be changed not to have cache, but this is in control of the user or her administrator.I am noted that with back browser button we can see all page history, but you can be logout or was logined with other username.
So, even if you follow the advice to put meta tags and response variables so that caching is disabled (or maybe to last 0 seconds) the user/browser may choose to ignore these "hints" and *still* store the pages into cache and *still* allow the user to press Back button and view the history.
This is not a bug, it is inherent behaviour of web itself - its philosophy.Whatever you do, it will work for ~90% of users and it will work only if they use a controlled environment - company lan, company desktops, laptopts, maybe home enviroment. Everyone that works with your website from let's say an internet cafe or kiosk, the computers there and the firewall and caching proxy may be setup in such a way to *always* cache pages no matter what and to always respond with "old" content when the user asks.
I am not saying that you should not try, but that you should be aware of this, and that the best solution for the other 10% is to educate everyone that critical apps should not be used in public places where you cannot trust the local admins. You should educate users that in order to be safe as much as possible they should *delete browser cache and history and close all browser windows* after logging out and especially before leaving the computer (if it's a public computer). If your personal computer has a chance to be used by someone else, you should not keep passwords, you should regularly delete cache and session data.
Also, always have in mind that the user can press the Back button at any time, even during inside the application and possible ruin internal transaction processes. So you have to check in you application for this.
smime.p7s
Description: S/MIME Cryptographic Signature
