Derek,
Look at TemplateSessionValidator. If you add a hidden variable to your
forms :-
<input type="hidden" name="_session_access_counter"
value="$data.getUser().getTemp("_session_access_counter")" />
this should prevent double submission of forms. Be careful though if your
page contains images or progress screens as these result in additional html
page requests which increment the counter and unless you manually adjust the
counter you may find the form doesn't get processed even on first submit.
Setting http headers has worked for me most of the time. I think Scott
Eade posted something way back in the archives (years) on this, which
included a method of adding the time to the url to fool proxy servers
that didn't respect the http headers.
I am using 2.3 but I think all this goes back to 2.1 days.
I hope that this helps.
Regards,
Peter
On Sat, 2003-09-20 at 09:17, Derek Stevenson wrote:
> Apologies if this is the second time this is posted, my email and
> subscriptions have been screwy. Here goes...
>
> I'm trying to force a page reload when a user hits the back button on
> certain pages on my site:
>
> 1) To ensure secure pages (with password info, etc) cannot be viewed once a
> user logs out
> 2) Certain pages contain forms that are intended for a single submission,
> and we need to prevent users from backtracking and resubmitting the form.
>
> I've combed through the archives and have tried setting the HTTP headers to
> prevent caching, with the following settings:
>
> "Cache-Control: no-store" OR "Cache-Control: no-cache, post-check=0,
> pre-check=0, private" (I've tried it both ways)
> Pragma: no-cache
> Expires: 0
>
> I've done this both in a velocity layout footer with $page.setHttpEquiv()
> and in the Default class layout (which extends VelocitySecureScreen), in
> doPostBuildTemplate() via data.getResponse().setHeader(). By forcing a page
> reload, my thought was to put such backtrack checking in the Default layout
> class so it's all in one place. However, while these HTTP headers do in
> fact show up in my browser testing, I can still hit the 'back' button and
> view pages after I've closed the session by logging out.
>
> Any thoughts on how to deal with this? I'm stumped. Using TDK 2.1 (sorry,
> have to for legacy compatibility reasons) mysql.
>
> Thanks,
> Derek
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
Peter Courcoux <[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
