1

I understand that this question is asked over and over again, but I want a way to handle back button clicks on the server side (like banking applications).

When the user clicks on the back button, the page should be invalid and the user should be asked to start all over again.

Can you direct me to some tutorials on this?

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
user2434
  • 6,339
  • 18
  • 63
  • 87

5 Answers5

1

The simplest way I've seen this solved is as follows.

Every page is served up with a unique ID/token. That unique ID is always submitted when submitting any forms, and tracked on the server as being "used".

If the user ever clicks "back" and re-submits the same form, the server checks the unique ID... notices that it is a duplicate and then ignores the submission.

Note this won't physically stop a user from going "back", but if the last action was "transfer $1,000,000 dollars!" - the user won't accidentally transmit 2 million.

scunliffe
  • 62,582
  • 25
  • 126
  • 161
  • Ignores the submission? I don't want to ignore any submission. Only if back button is clicked, then give an error page. Will this method take care of such a situation. – user2434 Jul 28 '11 at 10:39
  • Sure, what you do when you encounter a duplicate is completely up to you. You can redirect to an error page and provide an error message that they have tried to submit the same information twice... or let them get to the intended target page, but place a error message on that page that clearly indicates the 2nd submission was not handled. – scunliffe Jul 28 '11 at 11:03
0
  • Make pages not cachable
  • track the user route server side, if she is visiting the visited page which she isn't supposed to revisit by back, in a session data may be.
  • check to see if she is requesting the visited resource then handle accordingly
  • Filter is the best place to do
Community
  • 1
  • 1
jmj
  • 237,923
  • 42
  • 401
  • 438
0

Instruct page to use no cache. Add to the head element of the page

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
Ilya Saunkin
  • 18,934
  • 9
  • 36
  • 50
0

There are two problems you need to solve here.

The first is how browsers typically handle the back button. You should use a POST request to get to the page that the back button should not have access to. Most browsers will use a local cache for GET requests,, so if you do a GET, your server simply won't be accessed at all. A POST request will however typically perform a new request. Many browsers will also warn the user, and show a dialog box saying i.e. "Are you sure you want to send the form again?". So by using a POST, you increase the likelihood that every page load of that page will perform a new request to your server.

You may also be able to use a GET request where your server returns HTTP headers that makes browsers not load the page from the cache. Experiment with this.

The second problem is to make sure you invalidate duplicate requests server side. The first solution I can think of is to generate a token that you submit with the form and store in a database on every request. If a request is performed with a token that already is stored, you can invalidate the request. Perhaps there are better techniques, but I'll leave that as an exercise for the reader ;)

August Lilleaas
  • 54,010
  • 13
  • 102
  • 111
0

I also searched for this , and after all i found a little trick i think it may for your.

  • Every page your have an javaScript function that call to server with ajax to check whether this page is available at that time.
  • In the server side you keep the availability (with the session).
  • If not redirect the page as you wish .
sampathpremarathna
  • 4,044
  • 5
  • 25
  • 37