[nycphp-talk] back button, page timeout, sessions
Dan Cech
dcech at phpwerx.net
Fri Jan 30 12:49:14 EST 2004
Chris Shiflett wrote:
> --- Chris Hubbard <chubbard at next-online.net> wrote:
>
>>What are strategies you've implemented to eliminate the "this page has
>>expired" that commonly gets displayed after a user clicks the back
>>button?
>
> You can try:
>
> 1. Intermediate processing page that uses a protocol-level redirect, so
> that POST data is only ever sent to this intermeiate page.
> 2. Cache-Control: private
> 3. Someone else's suggestions. :-)
Personally I have a strong aversion to using 'processing' pages, but
that's just me....
I tend to use some cache control headers:
Expires:·Fri,·30·Jan·2004·17:39:20·GMT
Cache-Control:·private,·no-store,·no-cache,·no-transform,·must-revalidate
Cache-Control:·max-age=1,·s-maxage=1,·pre-check=1,·post-check=1
Pragma:·no-cache
I actually have a function to generate the appropriate headers...if
anyone is interested I can mail it off-list. It can also generate
appropriate headers for objects which should be cached by proxies and
browsers (very useful for php generated images, etc).
Other than than I also use a per-form token to ensure that a given form
cannot be submitted twice.
This solution seems to work fairly well, the headers ensure that use of
the back and forward buttons still take you to a current version of the
page, whilst the tokens prevent forms from being submitted twice (ie
when a user submits a form, moves on, then uses the back button to
return to the submission page).
By combining this with a decent url rewriting system I can keep my urls
short and readable and everything Just Works.
Dan
More information about the talk
mailing list