easiest way to prevent the back button of your browser from showing secure data after a user logs out?

Question

In a normal web app w/ login and secure data, what is an easy way to secure that data and prevent it from being seen by using the browser's back button, once a user logs out?

Answer 1

Here's a useful browser caching guide.

You want to set the cache-control and expiration date headers (setting a date in the past), e.g.

 Cache-Control: no-cache
 Expires: Fri, 31 Dec 1998 12:00:00 GMT

Answer 2

Cache control headers (Expires, Cache-Control, ETag) will generally prevent the caching of the page, forcing the browser to request a new copy at which point you can check the session status. They are sometimes ignored in the interests of "performance" though.

There are two Javascript approaches that could help you:

• Use the exit event from your page (onSubmit for forms or onUnload for other pages) to clear the content when leaving pages.
• Use document.location.replace() instead of normal links when moving between pages so as not to leave a trail in the browser history that the user could return to.

Both of these are likely to have a pretty horrid effect on usability though.

Answer 3

There is no perfect solution

Although there are some very reasonable solutions to this (cache control headers, javascript, etc), you need to realise that once you have sent something to a client, it is out of your control. You cannot guarantee that the client will treat the data in the way you would like.

For example:

• there could be a bug in a browser
• a browser might allow users to turn off cache control
• a user might be running with javascript disabled

Sorry :(