[thelist] Not logging page in browser history - How?

[Lee Kowalkowski]

On 07/12/2007, ftarzwell at fayec.com <ftarzwell at fayec.com> wrote:
> none of the pages (behind the password) were stored in the
> browser's history while when he did banking with another bank all the
> pages were in the history, even those behind the password.
>
> Is there a specific setting on the web server that can be turned on
> and off for not allowing a browser to log on a visit to certain pages
>
> Thank you in advance,
>
> FayeC

As Jason says, it sounds like they're doing the JavaScript
location.replace technique, this is a pain with form submission
though.  Even more JS is usually used to target the submission to a
hidden frame, or they use XmlHttpRequest instead of standard browser
behaviour.

Unless you actually mean history as in cached pages, or what you get
when you press CTRL-H, as I must admit I'm not certain what you meant
by pages "behind" the password, I'm assuming you meant after logging
in.

Pages aren't cached if you specify the appropriate Cache-Control and
Expires headers in every response.  I'd hate to think any bank was not
doing that, so again I'm assuming you mean the pages are in fact
non-navigable using the back and therefore also the forward button.

As Stephen says, this is really irritating, and to be frank the
reasons for electing to do that are lazy.  E.g. If user presses back
after doing a POST, the page is expired therefore user experience is
awful and potentially dangerous, if they press refresh they may repeat
a transaction, but this eventuality should be covered regardless of
client-side prohibitions.

To make a better user experience, adopting a POST->Redirect->GET
pattern will solve that particular issue.

Other pitfalls around back/bookmarking arise when state is held in an
inappropriate place, i.e. holding navigation-related state in the HTTP
session on the server, this can ruin scalability anyway as well as
browsing in multiple tabs etc...

-- 
Lee