You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Malka Cymbalista <Ma...@weizmann.ac.il> on 2008/06/26 16:30:23 UTC
[users@httpd] Forcing a page to be read from server and not from browser
cache
We have created a system for a web site where a person has to log in, in order to see the site. Every time a person requests a page in the site, it goes via a perl script which checks to see if there is a cookie which indicates if the person has logged in.
We have put a logout button on the site so that when a person logs out, the cookie is erased.
The problem is, if a person logs out and then presses the Back button in the browser, the page is displayed from the cache. If the person goes to a page that he did not previously visit, he gets the login page. But if he goes to a page that he did previously visit, he gets the page from the cache.
We have put the following lines on the page
<META HTTP-EQUIV="Expires" CONTENT="0">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
but it doesn't seem to help and the page is still cached. How can I force the page to be read from the server and not displayed from the cache?
We are running Aoache 2.2.6 with mod_perl 2.0.3 on a Linux machine.
Thanks for any help.
--
Malka Cymbalista
Webmaster, Weizmann Institute of Science
malki.cymbalista@weizmann.ac.il
08-934-3036
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Forcing a page to be read from server and not from
browser cache
Posted by André Warnier <aw...@ice-sa.com>.
Hi Malka.
I do not know the answer to your question, precisely, but I just wanted
to make the following comment, because I have encountered the same kind
of situation or question often before.
The general principle is : a user accesses your site, and you *give* him
a html page. Now he has it, and it's "his", and he can do with it
anything he wants. Ultimately, you have no control.
You have to accept that, that's the way it is.
You can send all the pragmas and cache-control instructions and cookies
you want, but because they decide which browser they use and how they
set it up and what bugs it has, they are the masters.
For example, they can save your page to disk, and then re-open that file
with their browser whenever they want, and click on the links in it.
Fighting all the different ways to do this, is a lot of work, and you
can never win 100%.
What I am saying is, if you are thinking of this as a security
mechanism, then forget it.
Once you accept that, fundamentally, then you can start thinking of ways
to *help* the users not to use outdated pages etc.. and maybe someone
else can tell you what better headers to use, to have a better chance at
success.
If all else fails, and it is really a problem to you, you could try
things like having your pages contain a
<body onLoad="javascript: myfunction()">
with "myfunction" doing something that really requires a new interaction
with the server, or plays with the browser's History. But again, that's
a lot of work, and the user can always disable javascript, or save your
page and edit it.
Now, another question is this :
The users go to the site, login, get a cookie, and do some things. Then
they logout, and you clear the cookie.
Now they use the back button to re-display a page that they could only
get before, when they were logged in.
Ok, but is it a problem ?
They can see only pages that they have seen before, when they were
logged in, so it should not be a security issue.
If they click on any link in that page, since they do not have the
cookie anymore, your authentication method should detect that, and
re-direct them to the login page, before giving them access (maybe) to
the content of that link. Otherwise, it is your authentication setup
that is broken.
If it is the user that is concerned that someone else could get to his
PC and redisplay confidential pages, then it is their problem, and they
should clear the browser cache. You can usually set up the browser to do
that automatically when it closes.
André
Malka Cymbalista wrote:
> We have created a system for a web site where a person has to log in, in order to see the site. Every time a person requests a page in the site, it goes via a perl script which checks to see if there is a cookie which indicates if the person has logged in.
> We have put a logout button on the site so that when a person logs out, the cookie is erased.
> The problem is, if a person logs out and then presses the Back button in the browser, the page is displayed from the cache. If the person goes to a page that he did not previously visit, he gets the login page. But if he goes to a page that he did previously visit, he gets the page from the cache.
> We have put the following lines on the page
> <META HTTP-EQUIV="Expires" CONTENT="0">
> <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
> <META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
> but it doesn't seem to help and the page is still cached. How can I force the page to be read from the server and not displayed from the cache?
> We are running Aoache 2.2.6 with mod_perl 2.0.3 on a Linux machine.
> Thanks for any help.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org