Dear Wiki user, You have subscribed to a wiki page or wiki category on "Struts Wiki" for change notification.
The following page has been changed by MichaelJouravlev: http://wiki.apache.org/struts/BrowserBackAndSecurity The comment on the change is: Data Caching vs. Browser Session History ------------------------------------------------------------------------------ With this set, responses from your Struts application will include the cache-control headers and the browser will never cache them. As a result, when the user hits the 'back' button, the browser will always request a fresh copy of the page and will never be presented with a cached, stale copy. + === Data Caching vs. Browser Session History === + + Technically, there is a difference between caching of resource data and storing resource location in useragent's page history. + + * Clicking on a link - only data cache is checked + * Moving back or forward - data cache and/or page history may be checked depending on browser vendor + * Forcing page reload - cache is not checked, page is reloaded + + According to section 13.13 of [http://www.ietf.org/rfc/rfc2616.txt HTTP 1.1 specification] a user agent should not reload data from resource while navigating page history. This is exactly the reason why [http://www.opera.com/support/search/supsearch.dml?index=82 Opera does not reload a page when you click Back] even if the page is marked as non-cachable: + + {{{ + RFC2616, 13.13 History Lists + ---------------------------- + History mechanisms and caches are different. In particular history mechanisms SHOULD NOT try to show a semantically transparent view of the current state of a resource. Rather, a history mechanism is meant to show exactly what the user saw at the time when the resource was retrieved. + }}} + + Other browsers behave differently. For example, MSIE reloads a page in both SSL and non-SSL mode if response contains "no-cache" cache-control header. Mozilla reloads a "no-cache" page only in SSL mode, for non-secure mode it requires "no-store" header. + + One might say that Opera provides cleaner separation between data caching and location history. On the other hand, for many stateful web applications this behavior ruins the idea of page<->data synchronization at any given time. Mozilla seems to be a good compromize between MSIE, that basically puts equal sign between data caching and location history, and Opera. + === Enforcing Page Security === The problem with with users accessing secured pages by hitting the back button after logging out is partially solved by implementing cache control as described above, but that is only part of the solution. With cache control in place, the browser will request a fresh copy of the secured page but it is up to the application to determine that the user is no longer logged in and refuse to display the requested page. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
