Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

RE: FN-FORUM: Logging off and removing the 'back' breach

date posted 27th June 2005 18:55

[EMAIL REMOVED] wrote:
> Jamie Wilson wrote:
>> Yup, given that you can use the browser's history to skip over the js
>> redirect page...
>=20
> Aye
>=20
>> Setting cache headers sounds reasonable, although some browsers may
>> ignore those to some degree.
>=20
> Aye - that's the bitch. Might work for some, but not for others, as
> it's up to the browser. Was just after the best way - there must be
> some fairly good ways as i bet the online banks have a pretty
> comprehensive method worked out, and it can't be that fancy
> as it's got
> to work on most if not all browsers.
>=20
>> What if you use js to pop open a new window to do the admin stuff in,
>> and then use js to close the window. The parent window won't have the
>> history in the back button, right? It will still be in the mail=20
>> history of most modern browsers, though.
>=20
> New windows would work but are frowned upon - we did mull
> that over but
> it's not something the company likes.
>=20
>> What's this guy trying to hide, anyway? If it's just admin functions
>> ('delete this', 'add this', etc.) you can protect that on the=20
>> backend. If it's report type stuff that he really really doesn't
>> want other people to see, he either needs to only do the admin
>> stuff on his own machine, or learn how to clear caches and
>> histories on popular browsers (and hope there are no aggressive
>> proxy caches between random browser in a cafe and the server).
>=20
> It's data rather than functions. Ie. private crap that they
> don't want
> re-displayed. Education won't work, as suspect it'll be used on many
> computers by many idiots (erm... clients) and so the best remaining
> option seems to be the cache control stuff. I guess we'll just spend
> some time gathering up all the options and see which works best.
>=20
>> ...j
>=20
> Ta, and ttfn,
> dan

It is definitely tricky, but you could consider ajax/xmlhttp if lack of =
js
(by legit clients) is not a problem. With the data being called in by =
the
js it should not be cached and using 'back' should re-call the script on =
the
server and hence check session.

For plain html solutions I don't think there is much you can do, the =
only
way I know to block back/history is to reload subsequent pages into the =
same
history slot but that is javascript dependent, messy and unfriendly to =
legit
users. Cache control is always flaky as has been mentioned already.

HTH,

Dai

--=20
TechnologyAngel
http://www.technologyangel.co.uk/

Messages by Day
June 30th 2005
June 29th 2005
June 28th 2005
June 27th 2005
June 26th 2005
June 25th 2005
June 24th 2005
June 23rd 2005
June 22nd 2005
June 21st 2005
June 20th 2005
June 19th 2005
June 18th 2005
June 17th 2005
June 16th 2005
June 15th 2005
June 14th 2005
June 13th 2005
June 12th 2005
June 11th 2005
June 10th 2005
June 9th 2005
June 8th 2005
June 7th 2005
June 6th 2005
June 5th 2005
June 4th 2005
June 3rd 2005
June 2nd 2005
June 1st 2005


Messages by Month
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005


Messages by Year
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000