Jump to content
  • 0

Browser cache keeps data, compromising privacy


nametooshort
 Share

Question

I have a datapage that allows authenticated users to search the database (it's a school directory). Unfortunately the results page is available even after the user logs out. He / she only needs to press the browser's "back" button, several times if necessary, to access this.

At first there's no record level security set. Later on I added Active accounts to the record level security just to have something in place. But the above still happens. So I suspect it's got to do w/ the page set to "allow users to search data", instead of "filter data based on predefined criteria". My other datapages have this set to "filter data" and once a user logs out, these pages are no longer available.

When I contacted Caspio they blamed the browser and advised me to tell users to close their browsers after use. This is of course not an acceptable solution. Why go through registration, manual verification, and SSL authentication steps if data is just going to be available in the cache?

Has anyone else experience this issue, and how did you overcome it? Thank you for your help.

Link to comment
Share on other sites

2 answers to this question

Recommended Posts

  • 0

Disabling the back button and how the browser caches information is NOT an easy thing.

Looking at Caspio’s response code on any page, I can see that they are using the appropriate cache control (i.e. . Also, when a user logs out all cookies are destroyed, therefore previously authenticated pages cannot be re-submitted. However, preventing the user from clicking the back button (especially multiple times) is an exercise for the container of the application and the browser/web server that is running on.

Most libraries, airports, hospitals and in general public places, attack that problem by implementing some or all of the following actions:

1) Using specialized browser sessions that provide customized windows with no navigation. In that case you get your URL bar, your printing buttons, but no navigation or view source(!) or other menus.

2) Enclosing the Web pages in a container that disables the back button from the right click menu (many JavaScript solutions are available for that). Will prevent most users but not all.

3) Making the back button behave like a forward button

<script language="JavaScript">
	<!--
	  javascript:window.history.forward(1);
	//-->
	</script>
4) Having a mechanism (i.e. scheduled job) that periodically cleans up the browser cache from the computer. In addition, some of the latest browsers allow for “private browsing†where nothing gets cached in searches or pages. Then the administrator configures (and locks down) the system in a way that each user has to open a new private session when browsing.

Unfortunately, I have found that there is still no way of truly disabling the back button for all cases. All the methods will, with varying degrees of success, prevent the user from viewing the previous page, but they all have their limitations. There is no way to completely disable the back button... sorry!

Link to comment
Share on other sites

  • 0

Note that many times a web app that doesn't seem to have this problem is making heavy use of Ajax techniques (Rich Internet App, Web 2.0, whatever you want to call it). See Gmail or Yahoo Mail for example. This is where you essentially stay on one web page, and the individual bits of data throughout the page change dynamically.

This does prevent users from going back, since "back" is a prior application state, not an address. The downside is when you desire to enable the back button, as well as trying to enable bookmarks/links, etc. Very challenging to do, as the URL almost becomes meaningless in such cases.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...