Good day, I am trying to write a perl and cgi script that disables cache, so that users simply cannot use the "back or forward" button on their browsers. I want them to have to log in again once their time expires. I have tried using ExpiresActive in the Apache configuration file, but no luck. I have also tried the following with no luck either:

#!/usr/bin/perl -w
#Created By Anthony Saulnier

use CGI;
use Digest::MD5 qw( md5_base64 );
$q = new CGI;
$expirytime=gmtime(time()+01*01*60)." GMT";
#basically sets the $expiry time to 60 second, but you have to put the hour and day for some reason
$username = $q->param('username');
$password = $q->param('hidden');
$submit = $q->param('submit');
$path = "/";
$domain = "http://www.anthonysaulnier.com";
#$usernamecookie = $q->cookie(-name=>'$username',
# -value=>$username,
# -expires=>$expirytime,
# -domian=>$domain,
# -path=>'/');

print $q->header;

#print $q->header(-cookie=>$usernamecookie);

print qq~<META HTTP-EQUIV="Cache-Control" CONTENT="NO-CACHE">~;
print qq~<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">~;
print qq~<META HTTP-EQUIV="expires" CONTENT="0">~;
print qq~<meta http-equiv="Refresh" content="65; url=http://10.0.0.1/cgi-bin/customers/mainlogin.cgi">~;


The user gets the message saying that cache is expired, but in reality it doesnt seem to expire. I know that it can be done because this happens with on-line banking services. When your time runs out or you are idle too long you get logged out and have to actually log back in again.

If anyone has any ideas it would be very much appreciated. I am even open to new ideas with different languages as long as it can be used with perl/cgi.


Thank you.


Anthony

What?! How do you expect them to view anything without a cache? Anyways, the back button uses the history, wich you cannot touch.

Just a note, there is a reason that the CGI.pm module doesn't have routines for making META, "http-equiv" elements. Those elements are server directives that set or override the HTTP response headers. With the CGI.pm module we just set those headers directly:#!c:\perl\bin\perl.exe

use strict;
use CGI qw (header);
use CGI::Carp qw(fatalsToBrowser);

print header ('-cache-control' => 'NO-CACHE', -expires => -1, -pragma => 'pragma', -refresh=>'65; url=http://10.0.0.1/cgi-bin/customers/mainlogin.cgi');

Hi Charles, thank you for your response. I tried your solution but unfortunately it still caches the pages when I use Firefox, although it does appear to work as intended when I try it with Internet Explorer. I am thinking that there might be some configuration issues with the server perhaps. It seems to me that perhaps the workaround might be to force people somehow to use internet explorer. I will have to look into it. If you have any other ideas please let me know.



Thanks

Anthony

Here's what I use...

print $q->header(
-Pragma=>'no-cache',
-Cache_Control=>'no-store,no-cache,must-revalidate,post-check=0,pre-check=0'
);

You might also look into a 'redirect' header which can be used to stop a form from being re-submitted.

Hi Nedals, thank you for your suggestions as well. I will certainly give them a try. Regarding the header redirect, I did some research and came up with this from the apache web site:

String redirectLocation;
Header locationHeader = method.getResponseHeader("location");
if (locationHeader != null) {
redirectLocation = locationHeader.getValue();
} else {
// The response is invalid and did not provide the new location for
// the resource. Report an error or possibly handle the response
// like a 404 Not Found error.
}

I am thinking that the script above might work with some more conditions in the "if" section for my particular case. For example (if certain variables are not empty (ne "") and locationHeader != null, then redirect to the same page (hoping to reload and clear the variables and other unnecessary things)

Here's what I do for a login. You can probably adapt this for your use.

use CGI
my $q = new CGI;
..
if (not authenticated) {
set valid user
# Delete form data because it will reappear as a query string on redirect
$q->Delete('formname');
print $q->redirect(-uri=>$q->self_url());
exit;
}
..
Do what you want with authenticated user.

With this bit of code, you cannot re-submit data by using the back button and re-submitting the form.

Ok, I have tried everything but still I have no luck getting it to work properly with Firefox. Basically I want to set it up so that if user forgets to clear their cache when done, then the site will be protected. But still for some reason the users are able to use the back and forward buttons to see pages even though they are supposed to be logged out of the system. Things seem to work as wanted with Internet Explorer, but not with firefox. My guess is that I am going to have to force users to use explorer buy detecting their browser types and storing it into a variable.


I have a dynamic page with one exception, the autologout page. Both pages have the code suggested below. When the user times out they are sent to the autologout page, and then five seconds later tehy are sent back to the login portion of the dynamic page.


What do you guys think? Any more ideas?