K
K
KhanTengri2011-05-26 23:53:34
User identification
KhanTengri, 2011-05-26 23:53:34

How to prevent a user from going back to a secure page after they log out?

I must say right away that I do not think that the solution to this problem depends on what the server part is implemented on (Ruby, Python, PHP, JSP, ASP.NET, etc.), so I omit this point here.

In general, let's say that the user is currently logged in and is in his profile (profile.htm). Next, he decides to log out and clicks on the appropriate link (logout.htm). logout.htm removes cookies from the browser, objects associated with the user on the server and redirects him to the login.htm page. But the question is: how to prevent the user from going back to profile.htm if he (or someone else) clicks the “Go Back” button in the browser?
The browser caches the profile page and the previous ones too, which allows you to view them all in a chain by clicking “Go Back” ... All links on these pages will, of course, no longer be active, but cached user data (for example: email, name etc.) can be see.

How to prevent this behavior of the system?
I mean standard methods, I don't want to reinvent the wheel.


UPD: In short, I have not found any complete solution to the problem.

Tricks with ajax, in my opinion, in principle, cannot be applied here because it looks more like a hack than a standard implementation and it will not work if javascript is turned off. Also, this solution is more suitable for portals mostly or completely built on ajax (like Twitter).

Another javascript solution using history.forward() doesn't work everywhere. For example, in the latest version of Firefox (Firefox4) - this does not work. Also, with javascript turned off ...

From the point of view of implementation, the more correct way is the one that offersVolCh: adding http headers like Cache-Control:no-cache, no-store, must-revalidate; pragma:no-cache; Expired:0. After all, it’s better not to just throw the browser into the cache that after logout you want to delete from there. This is a logical and simple way to achieve the goal I have indicated. Habr, by the way, also returns headers with these attributes after login. However, this approach also does not work everywhere. I have tested on Firefox, Chrome, Opera and Safari. In the first two cases, the browser, as expected, did not allow going back after logout, in the second two, it allowed ...

In general, at the moment I am focusing on the method with http headers.

PS: By the way, this link turned out to be very useful:
stackoverflow.com/questions/4194207/restrict-user-from-accessing-the-previous-page-after-signout

Answer the question

In order to leave comments, you need to log in

8 answer(s)
H
Hast, 2011-05-27
@Hast

Yes, in general, no way. Only I, for example, do not understand why this is necessary. If the user was already on this page, what's the point of hiding it from him after logout?

V
vinxru, 2011-05-27
@vinxru

Make an empty page that makes an AJAX request and displays the result on the screen (in innerHTML).
The server code (almost certainly) won't even need to be changed.
When you click on "back", the page will make a second AJAX request, but will no longer receive the data.

M
Mark, 2011-05-27
@printf

Send HTTP header Vary: Cookie . This is a standard way to give different pages when the session is lost, it's strange that no one has written yet.
The implementation of this depends on the browser, of course.

O
Oleg Matrozov, 2011-05-27
@Mear

Hmm ... non-standard and crutch. On profile.htm place JS that checks for cookies, there are no cookies - we do a redirect or something else where necessary.

H
himik, 2011-05-27
@himik

what browser behaves like this? I tried it in chrome on several sites, including here, I couldn’t return to my account after logging out.

V
Vladimir Chernyshev, 2011-05-27
@VolCh

Prevent browser caching with various http headers like Cache-Control, Expires, Pragma: no-cache.
True, there are browsers that do not care about standards and prohibitions. And it's not even IE, but Opera (if nothing has changed lately)

I
iStyx, 2011-05-27
@iStyx

Hint: pages fetched over https are not cached by browsers

S
Sergey Beresnev, 2011-05-27
@sectus

You can do it in a sophisticated way: give all pages in encrypted form (and let it be cached), plus a script on the page. This script makes an ajax request that receives a key (which is issued per session) and tries to decrypt the page and display what happened. If not, then refresh the current page. So the request will be executed every time, but quite simple, and the main part of the page will be cached by the browser.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question