...

View Full Version : Damned BACK button reads from cache & ignores "Expires" meta-tag



abacus
08-11-2004, 08:09 PM
An administrator logs in. By virtue of Admin's UserID & pwd, Session("AccessLevel") = "4"; and the Administrator's Menu is displayed. If Session("AccessLevel") less than "4" then the page is Response.Redirect'd back to Login.

The Admin starts the Time Clock from a selection on the Admin Menu; and upon entering the Time Clock page, the Session("AccessLevel") is changed to "".

If the user, while on the Time Clock page, decides to click the browser's BACK button ( or Alt-LeftArrow), the user, who has an AccessLevel less than 4, can get to the Admin Menu... which I don't want to happen.

On the AdminMenu.asp page, I've tried: <meta http-equiv="Expires" content="-1">, <meta http-equiv="Expires" content="0"> , and <meta http-equiv="Expires" content="01/01/2000">... all to no avail.

What's worse, the user can BACK Button or <Alt-LeftArrow> one more time, to the Login page, where the User ID is as the Admin had entered it, and the pwd textbox awaits a valid pwd. If the user clicks the FORWARD Button or <Alt-RightArrow>, the user overrides the need to enter a pwd; and is presented with the full Admin Menu from cache (with AccessLevel = 4, no less!) The opening lines of the AdminMenu.asp are:
<% If Session("AccessLevel") < "4" Then
Response.Redirect "Login.asp"
End if
%>
But these lines are ignored on the cache read!

How do I prevent an ASP page that is reloaded from the browser's cache from being displayed/functional???

raf
08-11-2004, 11:35 PM
If the user clicks the FORWARD Button or <Alt-RightArrow>, the user overrides the need to enter a pwd; and is presented with the full Admin Menu from cache (with AccessLevel = 4, no less!) The opening lines of the AdminMenu.asp are:
<% If Session("AccessLevel") < "4" Then
Response.Redirect "Login.asp"
End if
%>
But these lines are ignored on the cache read!

doesn't seem right. the logincheck is serversided, so that will never be processed if a page is pulled from the cache. but that doesn't mean that the user has admin rights. If he would click on a link, to request a page, then at th top of the requesting page, the check would be ran (these opening lines should be at the top of every admin-page). So he would then be redirected.

If he isn't redirected, then this means that your session isn't destroyed or that the sessionvariable isn't set to "" --> you should better detroy the session or set it to 0 (not sure how ""<"4" is evaluated. If you compaire two strings (and i suppose "" is regarded as an empty string, then the performand comparison will be a length comparison. so " " < "4" could be False

anyway, about the clientside caching: there have baan quite some searches here about (trying) to prevent that. One of these
http://www.codingforums.com/showthread.php?t=41795&highlight=caching

miranda
08-12-2004, 10:33 PM
Because variables in asp 3.0 are of the type variant they can be strings or integers. The way you have your code "4" is a string therefore when you ask If Session("AccessLevel") < "4" you could just as well be asking If Session("AccessLevel") < "cat" try changing the value to 4 with no quotes, this way it is an integer. your default will be 0 instead of the empty string and then when you ask If Session("AccessLevel") < 4 it will look see that 0 <1 <2 <3 <4 if you must keep it as a string then change it to this If Session("AccessLevel") <> "4" Then.

As to Caching, in addition to a meta tag this is what I add to the top of the page to prevent it

<%
Response.Buffer= True
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "private"
%>

brothercake
08-13-2004, 03:11 AM
I don't think you can directly prevent this - when you click the back button your browser should not be reloading the page, it shouldn't even be drawing it from cache - it should literally re-create a snapshot of the previous interpretor state. Opera does this most successfully - and cache prevention makes no difference, because nothing is being drawn from cache.

Sorry I know this isn't what you want to hear, but as far as I know this is not solveable. I don't understand the ASP aspect of your question, but my suggestion is that you try to find a way of modifying your scripting so that it doesn't matter.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum