[TYPO3-english] FE logout and browser back button

Katja Lampela katja.lampela at lieska.net
Thu Nov 12 01:52:05 CET 2009


Hi,
I just found a new and very disturbing not secure feature with new 
firefox - after logging out, if I push browser back button enough I can 
actually login again!
regards,
Katja

Katja Lampela kirjoitti:
> Hi,
> 
> I stumbled on this: a logged out FE visitor can press the back button of 
> the browser and he gets the previous view even though the page is in the 
> access restricted area and "no cache" type (or configured so).
> 
> I tried all kinds of combinations of these (0 or 1) in the root template 
> setup:
> 
> config.sendCacheHeaders = 1
> config.sendCacheHeaders_onlyWhenLoginDeniedInBranch = 1
> config.no_cache = 1
> config.cache_period = 1 //the default cache expires time, this is 1 second
> 
> ..I'm pretty much shooting in the dark here as one can suspect, but 
> these didn't have any desired effect.
> 
> Adding this in the page header, helped in some browsers, but not all:
> 
> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" 
> CONTENT="-1">
> 
> So, what is your method in access restricted pages to prevent the 
> browser's back button to show the previous page that was in the 
> restricted area? Maybe force the browser close all together..?
> 
> 

-- 
  With kind regards

Katja Lampela
*Lieska-tuotanto
* www.lieska.net


More information about the TYPO3-english mailing list