[OWASP_PHPSEC] Back Button loads cached page

Sven Rautenberg sven at rtbg.de
Fri Oct 18 07:45:37 UTC 2013

Hi there!

Only SOME browsers are loading from the cache. The correct behavior is
to load from HISTORY. Which is something entirely different, but was
described so in some rather old RFC documents I've read years ago (so I
don't remember their number now).

The back and forward buttons of the browser are moving the user in his
history, with the back button showing the page in that state the user
left it. This especially means the state includes also ALL FORM FIELDS
FILLED with the content that was there when the page was left (probably
excluding password fields - I cannot check right now).

You cannot really work around this server-side. The user has to destroy
his history himself by closing that browser tab, window or instance.


Am 18.10.2013 01:53, schrieb rahul chaudhary:
> Hello Guys,
> While making the sample application, after "logout", I observed that
> clicking the back button in the browser loads the cached page i.e. "the
> page where the user is still logged in". I tried doing "no-cache", but it
> still is being loaded from cache. I also observed that even though I unset
> $_POST variables which contains userID and password, by clicking the back
> button, they are still not deleted, their values again come up on the
> screen.
> So, for this do we need a cache-control library or is there some
> work-around ??
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

More information about the OWASP_PHP_Security_Project mailing list