DISabling the back button

[Mats Henricson <ma...@gmail.com>]

This may be elementary, but we have two cases where we don't want our users
to be
able to use the browsers back button:

1. After a submit of a form, when we've sent them to a new page saying "Your
blah blah
   blah has been submitted successfully". Allowing users to go back and
submitting
   again, would be bad for us.
2. After a logout. We don't want our users to be able to use the back button
to see the
   last page, from which he clicked the "Log out" link. We know that going
somewhere
   from that brought back page would lead the user to the login page, but
none the less,
   it would be bad enough, especially if it is done from a public terminal.

Can both cases be solved in the same way? How do you normally solve problems
like
this in Tapestry?

Mats

Re: DISabling the back button

[Nick Westgate <ni...@key-planning.co.jp>]

I usually solve (1) with a "Flow Synchronizer". Search this list, and see:
http://www.junlu.com/msg/85270.html

For (2) I think the only safe way is to close the window. Perhaps you can
ask the user to do this, and then do it via a timer in javascript anyway.

Using forms might force a refresh when using the back button depending on
the browser etc, but caching in FF etc means that's not always the case.

You can try all the javascript tricks to disable the back button, or play
with the history, but a malicious user can get around this, which is what
you're worried about right? Viewing sensitive data on previous pages.

Cheers,
Nick.


Mats Henricson wrote:
> This may be elementary, but we have two cases where we don't want our users
> to be
> able to use the browsers back button:
> 
> 1. After a submit of a form, when we've sent them to a new page saying 
> "Your
> blah blah
>   blah has been submitted successfully". Allowing users to go back and
> submitting
>   again, would be bad for us.
> 2. After a logout. We don't want our users to be able to use the back 
> button
> to see the
>   last page, from which he clicked the "Log out" link. We know that going
> somewhere
>   from that brought back page would lead the user to the login page, but
> none the less,
>   it would be bad enough, especially if it is done from a public terminal.
> 
> Can both cases be solved in the same way? How do you normally solve 
> problems
> like
> this in Tapestry?
> 
> Mats
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: DISabling the back button

[Jesse Kuhnert <jk...@gmail.com>]

throw a RedirectException ?

You could optionally also probably remove items from their browser
history via javaxscript (I think? ) , but the redirect is probably
easiest.

On 11/29/06, Mats Henricson <ma...@gmail.com> wrote:
> This may be elementary, but we have two cases where we don't want our users
> to be
> able to use the browsers back button:
>
> 1. After a submit of a form, when we've sent them to a new page saying "Your
> blah blah
>    blah has been submitted successfully". Allowing users to go back and
> submitting
>    again, would be bad for us.
> 2. After a logout. We don't want our users to be able to use the back button
> to see the
>    last page, from which he clicked the "Log out" link. We know that going
> somewhere
>    from that brought back page would lead the user to the login page, but
> none the less,
>    it would be bad enough, especially if it is done from a public terminal.
>
> Can both cases be solved in the same way? How do you normally solve problems
> like
> this in Tapestry?
>
> Mats
>
>


-- 
Jesse Kuhnert
Tapestry/Dojo/(and a dash of TestNG), team member/developer

Open source based consulting work centered around
dojo/tapestry/tacos/hivemind. http://blog.opencomponentry.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: DISabling the back button

[Jiří Mareš <Ji...@svt.cz>]

Hi,

the header forcing browser not cache the page are:

Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: 1

Jirka

PS: It makes problems with downloading file (attachments) in IE via HTTPS, so you have change header for attachemnt
downloding for IE to:

Cache-Control: max-age=0
Expires: 1


>> 2. After a logout. We don't want our users to be able to use the back
>> button
>> to see the
>>   last page, from which he clicked the "Log out" link. We know that going
>> somewhere
>>   from that brought back page would lead the user to the login page, but
>> none the less,
>>   it would be bad enough, especially if it is done from a public
>> terminal.
> Hello,
> 
> I've made a lot of search about this subject, but I did not find a
> functionnal solution.
> I've try many headers about cache expriation and so on, but no solution.
> For example when I click the Back button on FireFox, it show me the page
> and there is no access on the server, it is only a cache version of the
> page.
> 
> If you find http headers which make impossible for the webBrowser to go
> back without talking with the server I'll give you all my love ! ;-)
> It's a hard subject.

-- 
Jiří Mareš (mailto:Jiri.Mares@svt.cz)
ČSAD SVT Praha, s.r.o. (http://www.svt.cz)
Czech Republic

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Re: DISabling the back button

[Sam Gendler <sg...@ideasculptor.com>]

gmail used to disable the back button.  Now they've hacked it to do
the 'correct' thing.  It is apparently browser dependent, however, as
the back button still sends you to the previous SITE when using gmail
in Safari.  In firefox, they must be trapping the back button and
sending an ajax request.  Surely it must be possible to trap the back
button and just do nothing with it, instead.  I don't know the
details, though.

Sending a redirect doesn't fix the back button behaviour.  It can be
useful to prevent reloads executing methods that aren't idempotent,
since hitting reload won't cause the form to be reposted, but it
doesn't impact the back button at all.

I know dojo has some framework that allows you to place the request
you just sent into a stack, and have the back button send that request
as an asynch request.  It would still be up to you to make sure your
application can handle those requests correctly. I investigated a
little, but found it kind of useless without built-in support for it
in various tapestry components, since you have to manually manipulate
a js datastructure with values that a tapestry application isn't often
aware of, such as URL and query params.  Maybe I just didn't do enough
reading on the topic, since it wasn't functionality that was high on
my hitlist, but it felt pretty awkward on first glance.

--sam


On 11/29/06, Daniel Tabuenca <dt...@gmail.com> wrote:
> How does Tacos do it? I see the @DirtyFormWarning won't let you click
> the back button if you changed the form (It will popup a warning
> instead).  I believe they use javascript with window.onbeforeunload
> event.  Here is a link:
>
> http://www.webreference.com/dhtml/diner/beforeunload/bunload4.html
>
> Anyone know any reason why this wouldn't work?
>
>
> On 11/29/06, Cyrille37 <cy...@gmail.com> wrote:
> > Mats Henricson a écrit :
> > > 2. After a logout. We don't want our users to be able to use the back
> > > button
> > > to see the
> > >   last page, from which he clicked the "Log out" link. We know that going
> > > somewhere
> > >   from that brought back page would lead the user to the login page, but
> > > none the less,
> > >   it would be bad enough, especially if it is done from a public
> > > terminal.
> > Hello,
> >
> > I've made a lot of search about this subject, but I did not find a
> > functionnal solution.
> > I've try many headers about cache expriation and so on, but no solution.
> > For example when I click the Back button on FireFox, it show me the page
> > and there is no access on the server, it is only a cache version of the
> > page.
> >
> > If you find http headers which make impossible for the webBrowser to go
> > back without talking with the server I'll give you all my love ! ;-)
> > It's a hard subject.
> >
> > Cyrille
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: DISabling the back button

[Daniel Tabuenca <dt...@gmail.com>]

How does Tacos do it? I see the @DirtyFormWarning won't let you click
the back button if you changed the form (It will popup a warning
instead).  I believe they use javascript with window.onbeforeunload
event.  Here is a link:

http://www.webreference.com/dhtml/diner/beforeunload/bunload4.html

Anyone know any reason why this wouldn't work?


On 11/29/06, Cyrille37 <cy...@gmail.com> wrote:
> Mats Henricson a écrit :
> > 2. After a logout. We don't want our users to be able to use the back
> > button
> > to see the
> >   last page, from which he clicked the "Log out" link. We know that going
> > somewhere
> >   from that brought back page would lead the user to the login page, but
> > none the less,
> >   it would be bad enough, especially if it is done from a public
> > terminal.
> Hello,
>
> I've made a lot of search about this subject, but I did not find a
> functionnal solution.
> I've try many headers about cache expriation and so on, but no solution.
> For example when I click the Back button on FireFox, it show me the page
> and there is no access on the server, it is only a cache version of the
> page.
>
> If you find http headers which make impossible for the webBrowser to go
> back without talking with the server I'll give you all my love ! ;-)
> It's a hard subject.
>
> Cyrille
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: DISabling the back button

[Cyrille37 <cy...@gmail.com>]

Mats Henricson a écrit :
> 2. After a logout. We don't want our users to be able to use the back 
> button
> to see the
>   last page, from which he clicked the "Log out" link. We know that going
> somewhere
>   from that brought back page would lead the user to the login page, but
> none the less,
>   it would be bad enough, especially if it is done from a public 
> terminal.
Hello,

I've made a lot of search about this subject, but I did not find a 
functionnal solution.
I've try many headers about cache expriation and so on, but no solution.
For example when I click the Back button on FireFox, it show me the page 
and there is no access on the server, it is only a cache version of the 
page.

If you find http headers which make impossible for the webBrowser to go 
back without talking with the server I'll give you all my love ! ;-)
It's a hard subject.

Cyrille


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org