0

Django 1.7, python 3.4, IE8

I am working on a Django project where user is authenticated against window active directory instead of Django db.

User must be authenticated to see other pages. I use @cache_control(no_cache=True, must_revalidate=True, no_store=True) on my all pages to prevent caching. When user clicked on "logout", the back button will be expired on Firefox and Chrome but will work on IE8.

Clients will access this app only from IE8. Is there any way to prevent showing previous pages after user has logout and press back button?

Note that I have redirect logout page back to login, but when user click on back button, all those cached pages will still show in IE8.

Any comments are welcome and appreciated!

wolf97084
  • 270
  • 4
  • 22

2 Answers2

0

It looks like no-cache may be the problem:

Make IE to cache resources but always revalidate

Try getting rid of no-cache and setting the Expires header to -1

This is a snippet from the link above:

"These are the critical header fields:

Last-Modified: Wed, 16 Feb 2011 13:52:26 GMT
Expires: -1
Cache-Control: must-revalidate, private
Last-Modified (or ETag) is needed as a validator

Expires -1 tells that the resource is stale and must be revalidated Cache-Control must not include no-cache or no-store"

Some other useful links:

http://blog.httpwatch.com/2008/10/15/two-important-differences-between-firefox-and-ie-caching/

http://support2.microsoft.com/default.aspx?scid=KB;EN-US;Q234067

Community
  • 1
  • 1
Chris Berragan
  • 141
  • 1
  • 3
  • I have tried removing no-cache, no-store and put in expires, but it still not working in IE. It does not work in Firefox either. My header looks like this, Cache_Control must-revalidate, private Content-Type text/html; charset=utf-8 Date Fri, 30 Jan 2015 16:12:17 GMT Expires -1 – wolf97084 Jan 30 '15 at 16:13
  • The Stack Overflow post that I linked to also mentioned that Last Modified or E-Tag are required - did your header include one of these? – Chris Berragan Jan 30 '15 at 20:57
  • I missed the Etag part. However, since I don't know how to set up Etag in Django view, I refered to this link https://github.com/django/django/blob/master/django/middleware/common.py#L112 and used response['ETag'] = '"%s"' % hashlib.md5(response.content).hexdigest() to set up ETag. Now the header looks like this, Cache_Control must-revalidate, private Content-Type text/html; charset=utf-8 Date Fri, 30 Jan 2015 21:20:35 GMT Etag "159eda72e7bff45f769cc1bab5a02a89" Expires -1 IE8 still does not expire pages. – wolf97084 Jan 30 '15 at 21:34
0

I ended up checking IE version when user click on logout button. If it's IE8, then I will close the current window and open a new window to homepage. Otherwise, does nothing.

I also added back
@never_cache
@cache_control(no_cache=True, must_revalidate=True, no_store=True, max_age=0)
to expire pages in Chrome and Firefox, just in case some users have right to run the app in those browsers.

Not exactly what I want, but will work for now. Still looking for a better approach.

wolf97084
  • 270
  • 4
  • 22