Browser cache keeps data, compromising privacy

[nametooshort]

I have a datapage that allows authenticated users to search the database (it's a school directory). Unfortunately the results page is available even after the user logs out. He / she only needs to press the browser's "back" button, several times if necessary, to access this.

At first there's no record level security set. Later on I added Active accounts to the record level security just to have something in place. But the above still happens. So I suspect it's got to do w/ the page set to "allow users to search data", instead of "filter data based on predefined criteria". My other datapages have this set to "filter data" and once a user logs out, these pages are no longer available.

When I contacted Caspio they blamed the browser and advised me to tell users to close their browsers after use. This is of course not an acceptable solution. Why go through registration, manual verification, and SSL authentication steps if data is just going to be available in the cache?

Has anyone else experience this issue, and how did you overcome it? Thank you for your help.

[Doc DB]

Disabling the back button and how the browser caches information is NOT an easy thing.

Looking at Caspio’s response code on any page, I can see that they are using the appropriate cache control (i.e. . Also, when a user logs out all cookies are destroyed, therefore previously authenticated pages cannot be re-submitted. However, preventing the user from clicking the back button (especially multiple times) is an exercise for the container of the application and the browser/web server that is running on.

Most libraries, airports, hospitals and in general public places, attack that problem by implementing some or all of the following actions:

1) Using specialized browser sessions that provide customized windows with no navigation. In that case you get your URL bar, your printing buttons, but no navigation or view source(!) or other menus.

2) Enclosing the Web pages in a container that disables the back button from the right click menu (many JavaScript solutions are available for that). Will prevent most users but not all.

3) Making the back button behave like a forward button

<script language="JavaScript">
	<!--
	  javascript:window.history.forward(1);
	//-->
	</script>

4) Having a mechanism (i.e. scheduled job) that periodically cleans up the browser cache from the computer. In addition, some of the latest browsers allow for “private browsing†where nothing gets cached in searches or pages. Then the administrator configures (and locks down) the system in a way that each user has to open a new private session when browsing.

Unfortunately, I have found that there is still no way of truly disabling the back button for all cases. All the methods will, with varying degrees of success, prevent the user from viewing the previous page, but they all have their limitations. There is no way to completely disable the back button... sorry!

[JoeUser]

Note that many times a web app that doesn't seem to have this problem is making heavy use of Ajax techniques (Rich Internet App, Web 2.0, whatever you want to call it). See Gmail or Yahoo Mail for example. This is where you essentially stay on one web page, and the individual bits of data throughout the page change dynamically.

This does prevent users from going back, since "back" is a prior application state, not an address. The downside is when you desire to enable the back button, as well as trying to enable bookmarks/links, etc. Very challenging to do, as the URL almost becomes meaningless in such cases.