June 29th, 2003, 02:56 PM
Clearing Browser cache
If I look at some of the authentication security setups I've seen, (generally session variables, go back to the database and check if this user has appropriate permissions), I've run into something in testing that bothers me, but I'm not sure if I can do anything about it.
If I login with a high security clearance user, look at some pages requiring that security, then logoff, then login as a low security clearance user, the browser caches the high security page and will show it to the new user. If that user hits the refresh button, the system comes to its senses and refuses to output the page, so I'm assuming (big leap here) that the page was actually generated by the browser cache. (I'm not letting apache cache any pages).
Am I missing something obvious or is there some way to clear the browser cache when the high security clearance user logs off?
June 29th, 2003, 03:19 PM
A proper search would have revealed:
header("Cache-control:no-cache, must revalidate");
as the very first things sent. I accidently was sending a couple of characters prior to the headers.