Invalidate Safari Cache

mike_smith_ut · 02-22-2010, 11:53 PM

I am writing a web-based application for banking clients, using the safari browser. When the user logs out, I invalidate the server-side session, and the user is sent to a new page. In the HTML I try to add every meta tag I can find to invalidate the browser cache,

<meta http-equiv="Pragma" content="no-cache"/>
<meta http-equiv="Cache-Control" content="must-revalidate, no-store, no-cache, post-check=0, pre-check=0"/>
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>

but without fail, a user can hit the back button and it shows the last page the user was in, without hitting the server. This exposes sensitive secure data like account balances and transactions.

What has to be done to tell the Safari browser to not use the cache from the back or history buttons, but hit the server instead?

Any help is appreciated,

Michael Smith
Software Engineer
Sybase / Financial Fusion
msmith6@sybase.com
801.319.7363

hello24 · 02-23-2010, 02:58 PM

How about logging out the user and then redirect to another page - pressing back will go to the logout page.
Also, try to actually put a date in Expires rather than 0. Anything in the past will do.

Also, Safari3 is known to break the logout for Basic HTTP authentication:
Safari 3 Breaks HTTP Authentication | The Art of Web

02-22-2010, 11:53 PM	#1 (permalink)
mike_smith_ut Junior Member Join Date: Feb 2010 Posts: 1	Invalidate Safari Cache I am writing a web-based application for banking clients, using the safari browser. When the user logs out, I invalidate the server-side session, and the user is sent to a new page. In the HTML I try to add every meta tag I can find to invalidate the browser cache, <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Cache-Control" content="must-revalidate, no-store, no-cache, post-check=0, pre-check=0"/> <meta http-equiv="Expires" content="0" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> but without fail, a user can hit the back button and it shows the last page the user was in, without hitting the server. This exposes sensitive secure data like account balances and transactions. What has to be done to tell the Safari browser to not use the cache from the back or history buttons, but hit the server instead? Any help is appreciated, Michael Smith Software Engineer Sybase / Financial Fusion msmith6@sybase.com 801.319.7363

02-23-2010, 02:58 PM	#2 (permalink)
hello24 Senior Member Join Date: Jan 2010 Location: London, UK Posts: 126	How about logging out the user and then redirect to another page - pressing back will go to the logout page. Also, try to actually put a date in Expires rather than 0. Anything in the past will do. Also, Safari3 is known to break the logout for Basic HTTP authentication: Safari 3 Breaks HTTP Authentication \| The Art of Web __________________ http://www.hello24.com http://www.twitter.com/hello24com

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode