You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by Apache Wiki <wi...@apache.org> on 2006/01/16 19:48:41 UTC

[Struts Wiki] Update of "BrowserBackAndSecurity" by GeorgeDinwiddie

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Struts Wiki" for change notification.

The following page has been changed by GeorgeDinwiddie:
http://wiki.apache.org/struts/BrowserBackAndSecurity

------------------------------------------------------------------------------
+ [[TableOfContents]]
+ 
  == Managing the Browser Back Button ==
  
  Two commonly asked questions on the Struts Users mailing list are how to prevent the user from seeing stale data when they hit the browser's 'back' button, and how to prevent them from seeing a secured page by hitting the back button after logging out. It turns out that these issues are related, and the solution to the latter builds on the solution to the former.
@@ -19, +21 @@

  To prevent the user from seeing stale data when they hit the back button, you need to tell their browser not to cache the page. You do this by including cache control 'hints' -- special HTTP headers -- in the response to each request. There are a number of different 'hints' you can supply, and different browsers (and HTTP proxies) respect different hints, so you need to supply several to achieve the desired result in all circumstances. Specifically, you need to set the `Pragma`, `Cache-Control`, and `Expires` headers, as follows:
  
  {{{
- ???
+ Pragma: nocache
+ Cache-Control: no-cache, must-revalidate, no-store
  }}}
  
  You can do this every time in your actions or JSPs, but that quickly gets tedious. Fortunately, Struts provides a way to do this automatically, by setting `nocache="true"` on the `controller` element in `struts-config.xml`:
@@ -60, +63 @@

  
  For a good introduction to implementing security and access control in a Struts-based web application, see the following resources:
  
-  * TODO: add some links to appropriate tutorials / articles
+ == Links to tutorials / articles ==
+  * http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
+  * http://www.web-caching.com/
+  * 
  

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org