[nycphp-talk] back button, page timeout, sessions
Chris Shiflett
shiflett at php.net
Fri Jan 30 14:35:00 EST 2004
--- Dan Cech <dcech at phpwerx.net> wrote:
> I tend to use some cache control headers:
>
> Expires:·Fri,·30·Jan·2004·17:39:20·GMT
> Cache-Control:·private,·no-store,·no-cache,·no-transform,
>·must-revalidate
> Cache-Control:·max-age=1,·s-maxage=1,·pre-check=1,·post-check=1
> Pragma:·no-cache
I've seen this approach before by people who just want to eliminate
caching altogether. That's not always best, and this question actually
highlights one reason why. Using no-store is pretty absolute, although
different browsers interpret this in different ways (see
http://lists.nyphp.org/pipermail/talk/2003-March/002828.html). In general,
it is better to understand the various directives for Cache-Control and
use the ones most appropriate for your situation.
> Other than than I also use a per-form token to ensure that a given form
> cannot be submitted twice.
This can ensure that a form is not submitted twice (as well as help to
protect against CSRF and similar attacks), but it doesn't help the "page
has expired" problem that was originally asked. The most common approach
is to use an intermediate page for processing, so that the POST request
does not exist in the browser's history mechanism.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
More information about the talk
mailing list