Hi everybody

I have a logout page that destroy all the session variable I have. But when I click the browser's back button (after logout), I still can back to the page that need session (altought I cannot access anything there).

Why it can happen? I guess the session variable not destroy before I reload the page.
and how to make it can't back to the previous page?

My friend use PHP, and this not happen to him (he made some validation).

Thanks.. ;)

I would guess that it something to do with the caching of the page as you are not reloading the page but going back have you tried to refresh the page. Also if you are like me my script checks to see if they have a session and if not it creates one so if it is dropped it is renabled without them knowing to prevent denial of access errors.

Have you got it your script something like
if session("user") = "" then
response.redirect("denie.asp")
end if

but my guess is that the session is still there until you close the browser. Try closing it and going exactly to the page to see if it loads if it does then your session security is not enabled correctly.

I have tried all that.

But Is this ASP's weakness?
Because I have tried in PHP, after I click the browser's back window after remove a session variable, the session was removed.

hmm pass I aint used php in a while would need to play around in it.

My only guess is that the session is not being removed.

basically when you hit the back button you are getting a cached version of that page. this code will make the page actually reload instead of using a cached version. Put this at the top of your pages


Response.CacheControl = "no-Cache"
Response.AddHeader "Pragma" , "no-cache"
Response.ExpiresAbsolute = Now() -1

Great, it work!
Thanks

One more question, what is "Pragma"?

Once again thanks