[OWASP_PHPSEC] Back Button loads cached page

rahul chaudhary rahul300chaudhary400 at gmail.com
Fri Oct 18 12:53:11 UTC 2013

hey guys,
found the answer. It was a silly thing.

So, what was happening is that once I had the user logged-in, I was just
getting the next index page (using "require_once" and NOT REDIRECTING). And
so when the user logged out and pressed the back button, all the form data
was still there because it was 1 single page just loading another page.

The solution was to redirect the user to another page. With redirect, all
the form fields are lost. So, now refreshing does not resubmits the form
data. Also to deal with the back button, I added some checks, and if the
checks do not satisfy, then the previous page is not loaded.

On Fri, Oct 18, 2013 at 3:45 AM, Sven Rautenberg <sven at rtbg.de> wrote:

> Hi there!
> Only SOME browsers are loading from the cache. The correct behavior is
> to load from HISTORY. Which is something entirely different, but was
> described so in some rather old RFC documents I've read years ago (so I
> don't remember their number now).
> The back and forward buttons of the browser are moving the user in his
> history, with the back button showing the page in that state the user
> left it. This especially means the state includes also ALL FORM FIELDS
> FILLED with the content that was there when the page was left (probably
> excluding password fields - I cannot check right now).
> You cannot really work around this server-side. The user has to destroy
> his history himself by closing that browser tab, window or instance.
> Regards,
> Sven
> Am 18.10.2013 01:53, schrieb rahul chaudhary:
> > Hello Guys,
> >
> > While making the sample application, after "logout", I observed that
> > clicking the back button in the browser loads the cached page i.e. "the
> > page where the user is still logged in". I tried doing "no-cache", but it
> > still is being loaded from cache. I also observed that even though I
> unset
> > $_POST variables which contains userID and password, by clicking the back
> > button, they are still not deleted, their values again come up on the
> > screen.
> >
> > So, for this do we need a cache-control library or is there some
> > work-around ??
> >
> >
> >
> > _______________________________________________
> > OWASP_PHP_Security_Project mailing list
> > OWASP_PHP_Security_Project at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> >

Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20131018/7500c8a6/attachment.html>

More information about the OWASP_PHP_Security_Project mailing list