Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    Aug 2004
    Location
    Saint Peters, Missouri, USA
    Posts
    15
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Damned BACK button reads from cache & ignores "Expires" meta-tag

    An administrator logs in. By virtue of Admin's UserID & pwd, Session("AccessLevel") = "4"; and the Administrator's Menu is displayed. If Session("AccessLevel") less than "4" then the page is Response.Redirect'd back to Login.

    The Admin starts the Time Clock from a selection on the Admin Menu; and upon entering the Time Clock page, the Session("AccessLevel") is changed to "".

    If the user, while on the Time Clock page, decides to click the browser's BACK button ( or Alt-LeftArrow), the user, who has an AccessLevel less than 4, can get to the Admin Menu... which I don't want to happen.

    On the AdminMenu.asp page, I've tried: <meta http-equiv="Expires" content="-1">, <meta http-equiv="Expires" content="0"> , and <meta http-equiv="Expires" content="01/01/2000">... all to no avail.

    What's worse, the user can BACK Button or <Alt-LeftArrow> one more time, to the Login page, where the User ID is as the Admin had entered it, and the pwd textbox awaits a valid pwd. If the user clicks the FORWARD Button or <Alt-RightArrow>, the user overrides the need to enter a pwd; and is presented with the full Admin Menu from cache (with AccessLevel = 4, no less!) The opening lines of the AdminMenu.asp are:
    <% If Session("AccessLevel") < "4" Then
    Response.Redirect "Login.asp"
    End if
    %>
    But these lines are ignored on the cache read!

    How do I prevent an ASP page that is reloaded from the browser's cache from being displayed/functional???

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If the user clicks the FORWARD Button or <Alt-RightArrow>, the user overrides the need to enter a pwd; and is presented with the full Admin Menu from cache (with AccessLevel = 4, no less!) The opening lines of the AdminMenu.asp are:
    <% If Session("AccessLevel") < "4" Then
    Response.Redirect "Login.asp"
    End if
    %>
    But these lines are ignored on the cache read!
    doesn't seem right. the logincheck is serversided, so that will never be processed if a page is pulled from the cache. but that doesn't mean that the user has admin rights. If he would click on a link, to request a page, then at th top of the requesting page, the check would be ran (these opening lines should be at the top of every admin-page). So he would then be redirected.

    If he isn't redirected, then this means that your session isn't destroyed or that the sessionvariable isn't set to "" --> you should better detroy the session or set it to 0 (not sure how ""<"4" is evaluated. If you compaire two strings (and i suppose "" is regarded as an empty string, then the performand comparison will be a length comparison. so " " < "4" could be False

    anyway, about the clientside caching: there have baan quite some searches here about (trying) to prevent that. One of these
    http://www.codingforums.com/showthre...hlight=caching
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #3
    Senior Coder
    Join Date
    Dec 2002
    Location
    Arlington, Texas USA
    Posts
    1,072
    Thanks
    4
    Thanked 8 Times in 8 Posts
    Because variables in asp 3.0 are of the type variant they can be strings or integers. The way you have your code "4" is a string therefore when you ask If Session("AccessLevel") < "4" you could just as well be asking If Session("AccessLevel") < "cat" try changing the value to 4 with no quotes, this way it is an integer. your default will be 0 instead of the empty string and then when you ask If Session("AccessLevel") < 4 it will look see that 0 <1 <2 <3 <4 if you must keep it as a string then change it to this If Session("AccessLevel") <> "4" Then.

    As to Caching, in addition to a meta tag this is what I add to the top of the page to prevent it
    Code:
    <%
    Response.Buffer= True
    Response.ExpiresAbsolute = Now() - 1
    Response.AddHeader "Cache-Control", "private"
    %>

  • #4
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I don't think you can directly prevent this - when you click the back button your browser should not be reloading the page, it shouldn't even be drawing it from cache - it should literally re-create a snapshot of the previous interpretor state. Opera does this most successfully - and cache prevention makes no difference, because nothing is being drawn from cache.

    Sorry I know this isn't what you want to hear, but as far as I know this is not solveable. I don't understand the ASP aspect of your question, but my suggestion is that you try to find a way of modifying your scripting so that it doesn't matter.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •