2

I've jusy finished a login script and noticed that even after I log out that I can go back and view the protected page again. This really isn't an issue because the user can't do any damage but I do get loads of javascript errors that I don't like. I'd like to be able to totally prevent client side caching if at all possible.

I've tried the following but it isn't working as I can still go back and see a cached copy. Here is what I'm using so far.

    header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
    header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
ajreal
  • 46,720
  • 11
  • 89
  • 119
jim
  • 23
  • 1
  • 3

2 Answers2

5

Have you tried something a little more comprehensive?

Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

Source: http://www.php.net/manual/en/function.session-cache-limiter.php

kijin
  • 8,702
  • 2
  • 26
  • 32
  • @kijin, I've tried this but unless I'm not understanding something, I can still go back and see the protected page. Even with your "comprehensive" example, it still seems to be caching the results. – jim Nov 12 '10 at 02:06
  • I should also mention that if I try to go back using Chrome, I'm not able to do so. It seems that I don't need any of the header functions with Chrome. – jim Nov 12 '10 at 02:11
  • @jim What other browsers are you testing this on, besides Chrome? Have you tried clearing the browser's cache? – kijin Nov 12 '10 at 02:22
  • Well, it's failing in Opera. All others seem to work as expected. I've also been searching for anything I can find and have come up with a few other links that indicate that Opera seems to ignore the no-cache request. Is it hopeless? – jim Nov 12 '10 at 02:23
  • Are you using [Opera Turbo](http://www.opera.com/browser/turbo/) or some other performance-enhancing setting? Opera can cache things very aggressively depending on how it's configured. AFAIK it's impossible for a server to force a client to refresh something if the client is configured not to refresh. – kijin Nov 12 '10 at 02:26
  • No, not at all. Actually, I don't think I have ever used it. I've just verified that it is in fact off. Maybe I can check the browser settings to see if I can control it. Even though many don't use Opera, it is my browser of choice and I always want to have things working there first. – jim Nov 12 '10 at 02:29
  • I found an option under the "History" tab that allows the caching of pages and images. When I select "Never", the browser acts as expected. Of course, I don't need the header function but it sort of defeats the purpose. I guess Opera just ignores the header request. – jim Nov 12 '10 at 02:36
  • @jim It seems Opera ignores cache-control headers when you revisit a page using the back button, unless the page is delivered over HTTPS. See [Source 1](http://bluebones.net/2007/09/prevent-browser-caching/) and [Source 2](http://stackoverflow.com/questions/2866826/how-do-i-stop-opera-from-caching-a-page). This is actually permitted by the relevant RFCs, so I don't think Opera will fix it any time soon. – kijin Nov 12 '10 at 02:37
  • kijin, Thanks for the links and the research! I'm going there now. – jim Nov 12 '10 at 02:39
  • In your source1 link, the poster asks a very good question about how banks deal with this situation. I'm almost tempted to log into my bank account, log out and then see if I can view the stale page. – jim Nov 12 '10 at 02:44
  • @jim According to source 2, it won't work if the page was requested over a secure connection. Hopefully your bank uses HTTPS. – kijin Nov 12 '10 at 02:50
  • Ahh, that's right, SSL stops that. I haven't logged into my bank but I'd assume that BofA does use SSL. Thanks again for helping me understand cache. – jim Nov 12 '10 at 02:55
0

I'm not sure if this will work for an entire page, but it's worth a shot.

We serve up dynamic images that have the exact same file name, over and over. Obviously caching these images would be bad, bad, bad (and completely break our app, really).

So, we send these three headers to the browser, and it has been working great to completely eliminate all caching of the images on all browsers:

//Prevent the image from caching, so it is created fresh each time.
app.Response.AddHeader("pragma", "no-store,no-cache"); // //HTTP 1.0
app.Response.AddHeader("cache-control", "no-cache, no-store, must-revalidate, max-age=-1"); // HTTP 1.1
app.Response.AddHeader("expires", "Mon, 14 Jul 1789 12:30:00 GMT"); // Date in the past

Note: We tested LOTS of variations, but these were the three essential ingredients in the magic recipe to prevent client-side image caching. You may have success using these for an entire page, but I have not tested that specific scenario.

Flipster
  • 4,373
  • 4
  • 28
  • 36