FE logout and browser back button
|
View:
New views
10 Messages
—
Rating Filter:
Alert me
|
 |
FE logout and browser back button
by Katja Lampela
::
Rate this Message:
Hi,
I stumbled on this: a logged out FE visitor can press the back button of the browser and he gets the previous view even though the page is in the access restricted area and "no cache" type (or configured so). I tried all kinds of combinations of these (0 or 1) in the root template setup: config.sendCacheHeaders = 1 config.sendCacheHeaders_onlyWhenLoginDeniedInBranch = 1 config.no_cache = 1 config.cache_period = 1 //the default cache expires time, this is 1 second ..I'm pretty much shooting in the dark here as one can suspect, but these didn't have any desired effect. Adding this in the page header, helped in some browsers, but not all: <META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" CONTENT="-1"> So, what is your method in access restricted pages to prevent the browser's back button to show the previous page that was in the restricted area? Maybe force the browser close all together..? -- With kind regards Katja Lampela *Lieska-tuotanto *www.lieska.net _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by bernd wilke-4
::
Rate this Message:
Am Tue, 03 Nov 2009 09:49:27 +0200 schrieb Katja Lampela:
> Hi, > > I stumbled on this: a logged out FE visitor can press the back button of > the browser and he gets the previous view even though the page is in the > access restricted area and "no cache" type (or configured so). > > I tried all kinds of combinations of these (0 or 1) in the root template > setup: > > config.sendCacheHeaders = 1 > config.sendCacheHeaders_onlyWhenLoginDeniedInBranch = 1 config.no_cache > = 1 > config.cache_period = 1 //the default cache expires time, this is 1 > second > > ..I'm pretty much shooting in the dark here as one can suspect, but > these didn't have any desired effect. all your server-config could not help you because most browsers show the page from browser-cache if you go back. there is no server request and so no configuration on the server can supress the page display. > Adding this in the page header, helped in some browsers, but not all: > > <META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" > CONTENT="-1"> this may force some browsers to recall that page from server, where it gets denied. But that will supress all browser-/proxy-caching for every page. This means a lot of more traffic for your server and a lot of more waiting time for your page visitors. > So, what is your method in access restricted pages to prevent the > browser's back button to show the previous page that was in the > restricted area? Maybe force the browser close all together..? you (as page provider) can do nothing. your page visitors can clear their browser cache (and proxy?) to prevent other computer-users to get content from pages they visited while logged in. how will you prevent users to access localy stored page information ('save page') after log-out? bernd -- http://www.pi-phi.de/cheatsheet.html _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Bernhard Kraft-2
::
Rate this Message:
Katja Lampela schrieb:
> I stumbled on this: a logged out FE visitor can press the back button of > the browser and he gets the previous view even though the page is in the > access restricted area and "no cache" type (or configured so). Think about the following: If the user would have saved all pages to disk he could still view them on the next day - without logging in. Altough it could be possible you find some HTTP headers forcing the browser to reload history pages, I guess most browsers implement the "Back" button like you described. I just had a look at facebook. There your described behaviour doesn't occur. You should probably check what HTTP header such applications like facebook, gmx, etc. are sending, and play around with those. greets, Bernhard _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Katja Lampela
::
Rate this Message:
Hi,
Bernhard Kraft kirjoitti: > I just had a look at facebook. There your described behaviour doesn't occur. > You should probably check what HTTP header such applications like facebook, > gmx, etc. are sending, and play around with those. > Thanks guys, this is what I've found and it's working for most browsers: <head> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Cache-Control" CONTENT="no-store, no-cache, must-revalidate"> <META HTTP-EQUIV="Cache-Control" CONTENT="post-check=1, pre-check=2"> <META HTTP-EQUIV="Expires" CONTENT="-1"> </head> But now IE7 doesn't care about this, it still delivers the cached content. For it the previous code (with head tags and all) should be douplicated into the bottom of the code, just before the final </html> and outside </body> So the last rows of the output should be: ...blahblah </body> <head> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Cache-Control" CONTENT="no-store, no-cache, must-revalidate"> <META HTTP-EQUIV="Cache-Control" CONTENT="post-check=1, pre-check=2"> <META HTTP-EQUIV="Expires" CONTENT="-1"> </head> </html> And sure this is wrong and does not validate, but in this case it just doesn't matter, it's a closed extranet and security overrules everything. But how can I add this code after </body>? With normal page.xxx it ends inside the body tag. And adding it into the html template doesn't work. -- With kind regards Katja Lampela *Lieska-tuotanto * www.lieska.net _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Katja Lampela
::
Rate this Message:
Hi,
bernd wilke kirjoitti: >> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" >> CONTENT="-1"> > > this may force some browsers to recall that page from server, where it > gets denied. But that will supress all browser-/proxy-caching for every > page. This means a lot of more traffic for your server and a lot of more > waiting time for your page visitors. Thank you. Fortunately this is not that large trafficing extra, so this is not a real problem. But good to remember. >> So, what is your method in access restricted pages to prevent the >> browser's back button to show the previous page that was in the >> restricted area? Maybe force the browser close all together..? > > you (as page provider) can do nothing. your page visitors can clear their > browser cache (and proxy?) to prevent other computer-users to get content > from pages they visited while logged in. > > how will you prevent users to access localy stored page information > ('save page') after log-out? You are right. But for a normal visitor, this just seems like a security risk that can and should be prevented. So it looks like two options: 1. some code (that I haven't discovered yet) that prevents caching in every browser 2. force browser close on logout -- With kind regards Katja Lampela *Lieska-tuotanto * www.lieska.net _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Bernhard Kraft-2
::
Rate this Message:
Katja Lampela schrieb:
> </body> > <head> > [...] > </head> > </html> > > And sure this is wrong and does not validate, but in this case it just > doesn't matter, it's a closed extranet and security overrules everything. > > But how can I add this code after </body>? With normal page.xxx it ends > inside the body tag. And adding it into the html template doesn't work. Looks very grotesc. I would not want to have <head> tag just after </body>. What I suggested, is that you have a look at the HTTP headers being sent (using some http tracking tool). Like when you use PHPs "header()" function. You could also enforce this behaviour, by probably placing your meta-tag contents into the "header()" call: ------------------------------------ header('Pragma: no-cache'); header('Cache-Control: no-store, no-cache, must-revalidate, post-check=1, pre-check=2'); // Whatever those do ... header('Expires: -1'); ------------------------------------ You could put this somewhere at the top of index.php, and if you do not want to modify the typo3-source you could also put it into typo3conf/extTables.php an put and if (TYPO3_MODE=='FE') { } around it. greets, Bernhard _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Katja Lampela
::
Rate this Message:
Hi Bernard and thank you,
Bernhard Kraft kirjoitti: > What I suggested, is that you have a look at the HTTP headers being sent > (using some http tracking tool). Like when you use PHPs "header()" function. Couldn't find yet such a tool. > You could also enforce this behaviour, by probably placing your meta-tag > contents into the "header()" call: > > ------------------------------------ > header('Pragma: no-cache'); > header('Cache-Control: no-store, no-cache, must-revalidate, post-check=1, pre-check=2'); // Whatever those do ... > header('Expires: -1'); > ------------------------------------ > > You could put this somewhere at the top of index.php, and if you do not want > to modify the typo3-source you could also put it into typo3conf/extTables.php > an put and > > if (TYPO3_MODE=='FE') { > } > > around it. Didn't get this working either, tried it in extTables.php and localconf.php (not in index.php because of shared core): if (TYPO3_MODE=='FE') { header('Pragma: no-cache'); header('Cache-Control: no-store, no-cache, must-revalidate, post-check=1, pre-check=2'); header('Expires: -1'); } So I'm checking now how could I condition the site so that the browser would close if not logged in... -- With kind regards Katja Lampela *Lieska-tuotanto * www.lieska.net _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Katja Lampela
::
Rate this Message:
Hi,
I just found a new and very disturbing not secure feature with new firefox - after logging out, if I push browser back button enough I can actually login again! regards, Katja Katja Lampela kirjoitti: > Hi, > > I stumbled on this: a logged out FE visitor can press the back button of > the browser and he gets the previous view even though the page is in the > access restricted area and "no cache" type (or configured so). > > I tried all kinds of combinations of these (0 or 1) in the root template > setup: > > config.sendCacheHeaders = 1 > config.sendCacheHeaders_onlyWhenLoginDeniedInBranch = 1 > config.no_cache = 1 > config.cache_period = 1 //the default cache expires time, this is 1 second > > ..I'm pretty much shooting in the dark here as one can suspect, but > these didn't have any desired effect. > > Adding this in the page header, helped in some browsers, but not all: > > <META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" > CONTENT="-1"> > > So, what is your method in access restricted pages to prevent the > browser's back button to show the previous page that was in the > restricted area? Maybe force the browser close all together..? > > -- With kind regards Katja Lampela *Lieska-tuotanto * www.lieska.net _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Katja Lampela
::
Rate this Message:
..also in Safari. Not Chrome or IE lets you log in again.
Katja Lampela kirjoitti: > Hi, > I just found a new and very disturbing not secure feature with new > firefox - after logging out, if I push browser back button enough I can > actually login again! > regards, > Katja > -- With kind regards Katja Lampela *Lieska-tuotanto * www.lieska.net _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
|
|
Re: FE logout and browser back button
by Katja Lampela
::
Rate this Message:
Hi again - I added this in the index.php and it works. Now I have
another problem though, but I'll start another thread about that. Thanks again :) Bernhard Kraft kirjoitti: > ------------------------------------ > header('Pragma: no-cache'); > header('Cache-Control: no-store, no-cache, must-revalidate, post-check=1, pre-check=2'); // Whatever those do ... > header('Expires: -1'); > ------------------------------------ -- With kind regards Katja Lampela *Lieska-tuotanto * www.lieska.net _______________________________________________ TYPO3-english mailing list TYPO3-english@... http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english |
| Free embeddable forum powered by Nabble | Forum Help |
