Disabling Back button after logout

[scorniglia]

Hi Everyone,

I added security to my web pages by using a login screen and setting session variables. I am not using cookies. Everything is working fine with one exception. I want the users to be able to use the back and forward buttons on the browser once they are logged into the site. After they logout however I do not want them to be able to get back in without logging in again. I added a logout button that goes to a goodbye page that contains the code:

<CFSCRIPT> StructClear(Session); </CFSCRIPT>

However the user can still press the back button and return to whatever page he was just on. I added the following code to my pages:

<CFHEADER NAME=&quot;Expires&quot; VALUE=&quot;Tue, 01 Jan 1985 00:00:01 GMT&quot;>
<CFHEADER NAME=&quot;Pragma&quot; VALUE=&quot;no-cache&quot;>
<CFHEADER NAME=&quot;cache-control&quot; VALUE=&quot;no-cache, no-store, must-revalidate&quot;>

When they hit the back button it comes to a system page that says nothing is cached, hit the refresh button, and when they do.....presto.... they are back in my site again.

How can I prevent rentry to the web site via the back button after logout while still allowing the back button to be used while the user is in the site? I noticed that this type of functionality is being used here on the Tek-Tips web site. How are they doing it? Thanks a lot for any help.

Regards,
Roy F.

 

[KevinFSI]

You need to kill that session variable when they log out. You also need to be checking for the existance of that variable on each page.

I'm not sure, but I don't believe StructClear(Session) will actually clear the session variables. I thought CF Admin settings would override that. Perhaps I have incorrect info.

There are several things you could do here. With CF you could, on logout, set their session variable equal to something invalid. Like set session.username = 0 or something.

Disabling the browser's back button is futile though. As a designer, you rarely, if ever, want to resort to taking away the functionality of the user's software. In other words, the problem is not the user or their browser. If you disable the back button, they'll hit ALT-left arrow if they really want back in. It's like trying to disable &quot;view-source&quot; it can't be done. No matter what, someone can view source on your page (a whole different subject...sorry)

Do you get the same results if you close the browser and open it back up to the page you're talking about and hitting refresh? Kevin
slanek@ssd.fsi.com

 

[KevinFSI]

Hey, I was wrong. You CAN clear the session variables with StructClear(), but I still can't duplicate your problem? Kevin
slanek@ssd.fsi.com

 

[scorniglia]

Hi Kevin,
Thanks for the reply. I don't really want to disable the back button on the browser. I agree with you whole heartily that you don't want to take away the softwares functionality. I only want to prevent the back button from allowing reentry into the site after the user logs out. The reason that this is very important to me is that the information on the site is very sensitive (medical records). I don't want someone to be able to go to a computer after the authenticated user has logged off but before the session expires, hit the back button and be able to get back in the site. I assume this happens because the page is stored in the browsers cache and it is accessing the cached page. What I want to do is both kill the session and flush the browsers cache when the user hits the log off button. So neither the back button or refresh will allow anyone back in the site without logging in again. I thought perhaps there might be a Java script that flushes the cache?
Any ideas would be greatly appreciated. Thanks again.

Regards,
Roy F.

 

[KevinFSI]

The easy answer would be to tell your users to close the browser window after logging out, but you know users...

Would you be interested in automatically closing the browser window upon logout? I can give you a small script that will close the window upon logout which will prevent anyone from hitting the back button. Then, the next time a user goes to the page they he or she will HAVE to log in again before being able to see anything. Kevin
slanek@ssd.fsi.com

 

[scorniglia]

Hi Kevin,
Thanks again for the response. The solution that I have found so far is to have the Log Out button go to a blank page that contains the following code in the body tag:

onload=&quot;location.href='logout_page_users_see.cfm';&quot;

Then if anyone hits the back button it take them back to the blank page which take them back to the log out page. Seems to work well at this point. I wanted to put a CFLOCATION tag in the body of the blank page to try and accomplish the same thing but for some reason the back button still allows reentry into the app even though it seems like it should work just like the body onload tag does. I'm not sure why it doesn't? Seems like it should. Anyway thanks for the input.

Regards,
Roy F.

 

[GriLLo]

Hi,

Hope this helps:
Using your approach to me is the best way, but instead of only have a location.href in the onload I suggest you to do this on the blank page, so if it is logged and accidently the user has gone to this page it will be brought back to where he was

cfif login IS TRUE
<javascript>
history.go(-1)
</javascript>
cfelse
cflocation logout.htm

Marcelo Simon

 

[scorniglia]

Thanks Marcelo,
I'll give that a try also.

Regards,
Roy F.