NYCPHP Meetup

NYPHP.org

[nycphp-talk] back button, page timeout, sessions

Nunez, Eddy enunez at tiaa-cref.org
Fri Jan 30 14:41:50 EST 2004 

I've encountered this same problem with no real way to handle it...
Question though:
>The most common approach is to use an intermediate page for processing, so
that the POST request does not exist in the browser's history mechanism.

Does this mean that the intermediate page processes and generates an output
file(or something) to redirect the user to?

It makes sense to me, but would there be a better way than generating a
temporary results page?

-EAN

-----Original Message-----
From: Chris Shiflett [mailto:shiflett at php.net]
Sent: Friday, January 30, 2004 2:35 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] back button, page timeout, sessions


--- Dan Cech <dcech at phpwerx.net> wrote:
> I tend to use some cache control headers:
> 
> Expires:·Fri,·30·Jan·2004·17:39:20·GMT
> Cache-Control:·private,·no-store,·no-cache,·no-transform,
>·must-revalidate
> Cache-Control:·max-age=1,·s-maxage=1,·pre-check=1,·post-check=1
> Pragma:·no-cache

I've seen this approach before by people who just want to eliminate
caching altogether. That's not always best, and this question actually
highlights one reason why. Using no-store is pretty absolute, although
different browsers interpret this in different ways (see
http://lists.nyphp.org/pipermail/talk/2003-March/002828.html). In general,
it is better to understand the various directives for Cache-Control and
use the ones most appropriate for your situation.

> Other than than I also use a per-form token to ensure that a given form >
cannot be submitted twice.

This can ensure that a form is not submitted twice (as well as help to
protect against CSRF and similar attacks), but it doesn't help the "page
has expired" problem that was originally asked. The most common approach
is to use an intermediate page for processing, so that the POST request
does not exist in the browser's history mechanism.

Hope that helps.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
     Coming mid-2004
HTTP Developer's Handbook
     http://httphandbook.org/
_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk


**************************************************************
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies.  You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
TIAA-CREF
**************************************************************

More information about the talk mailing list