4

我需要启用缓存并禁止用户在注销后返回后查看信息。

我知道在注销+后退按钮时显示的缓存页面是浏览器中的设计。我知道禁用缓存是一种强制注销+返回强制重新验证的方法。

使用 JSP(特别是 CQ5),这甚至可能吗?

我有以下解决方案,但不确定哪种方法最适合我的需求:

  1. 到处禁用缓存。这可行,但不可接受,因为我们使用的发布者将忙于重新更新页面。
  2. “注销”按钮 POST 到页面 A。页面 A 终止会话并将用户转发到页面 B,并带有一些“您已注销”消息。来自页面 B 的“返回”将弹出浏览器提供的有关必须重新发布值的消息。是 = 他们注销(此时无害)并再次转发到页面 B。不 = 他们无害地坐在页面 A。但是,“back”+“no”+“back”可能会将它们放在缓存页面上,或者从历史中选择仍然会显示缓存页面。
  3. “注销”按钮会弹出一个新窗口,询问他们是否确定/警告他们关闭会话。“我确定”会执行 window.opener.reload() 或 window.opener.close()。但是,如果 JavaScript 被禁用,我们就完蛋了。
  4. “注销”帖子到当前页面。所有页面都检查是否存在一些 POSTd 值。如果存在,请使用“您已注销消息”转发到页面 B。类似于#2。这实际上会将页面重新缓存到“您已注销”页面,但“返回”或历史记录仍将有缓存页面。

是否有某种方法可以手动清除用户的缓存,或者即使在缓存页面上也强制进行验证检查?我在这里没有想法......

4

1 回答 1

0

Your problem here is that you are trying to cache something that should be kept secret. Caching information behind a password is not secure and is a risk.

However, it may make sense to cache the generic html parts of a page behind a password. Anything that any logged in user can see is OK in this regard. It is only the specific information such as username, address, phone number etc that is sensitive.

If you make a separate JSON call to pull down the data, the infomration will be lightweight, but still secure, as it is not cached on the system, but also not padded with html formatting etc.

The page can also have the intelligence to display a log in challenge if the users session has been interrupted for whatever reason, they retype and continue from where they left off, whilst still keeping the back button in place.

I would also think if there is any sensitive information is kept in the history, such as id's, actions etc, that can be a problem as well.

Just a few things to consider.

于 2014-01-08T00:56:38.843 回答