posted 15 years ago
I should add, this does not prevent the user from actually going back to the previous page (which is simply impossible). It just prevents the previous page being viewed from the browser cache, which would make the user think: "Hey, I am already logged out, why do I still see the secured page?!". Adding the response headers prevents the page being cached in the browser, so the browser is forced to actually fire a request to the server, where you can easily check if the user is logged in or not and handle the response accordingly.