The 'Resend' issue.

Hi,
I had been browsing for the cache issue for quite a long time and found a common solution of 'no-cache' and 'Expires' etc.
Even though I tried all these, I still have the famous 'Resend?' issue. The browser actually stores the form data and when you press refresh, it asks if you want to resend and if you say yes., it does. I dont think there is any solution to stop the browser from storing the form data.
My requirement is a different one. As said above, the browser stores form data. Now, there are specialized tools available, which can recover the cache on the client. Note : Your server cannot do anything in such a case.
My question : How to stop the browser from storing form data, so that those tools will not recover such data from client.
I think of a possible solution of encryption using javascript or using ajax.

Regards,
Amol

Any updates please.

I dont think there is any solution to stop the browser from storing the form data.

That can be turned off in the browser settings. If you're asking whether the web app can do anything about that, then the the answer is no.

Why are you worried about this? The client already knows the data, what harm is done by keeping a copy at the client?

Hi Ulf,
Thanks for your quick reply.
My client had carried out risk analysis test, wherein they
found that client user typed data or data displayed to user is
available from cache. I am not aware about their tool and how they
found that out. Their concern is the cache, which they want to clear.
Now, we cannot control every user's browser settings. So how to
achieve it programatically?
I tried with some javascript functions, which clear the form contents
before page unload, but eventhough the form is reset, somewhere the
browser is maintaining the cache data, due to which, even on resend,
the server gets the form contents. I think this is sufficient to prove
that browser is storing the data. And if it is stored, it can be
recovered.(which tool may not matter). How to clear this?
I read somewhere about using some ActiveX object to gain access to client memory and then clear.
Can you please help me out on this?

Regards,
Amol

So the issue is that the client does not trust their computers to be guarded against data theft?

As I said, there's nothing the web app can do about what the browser does. If the data is that sensitive, then the web app should use SSL - it prevents the browsers from caching the data. (Of course, a rogue user can write a browser that does cache data that's sent over SSL, but the factory versions of the major browsers don't do that. And again, the user already knows the data, so no harm done.)

Hi Ulf,

The user may not be using own personal machine, so we cannot trust the machine. Someone else may login to that machine.

I guess using SSL is about transportation. My concern is about data on client itself. We are using SSL and still found the issue.
I read about the password hashing technique (http://crypto.stanford.edu/PwdHash/). I am not able to figure out whether this algorithm stores the 'hashed' password or it stores the typed one and sends the 'hashed' one. Can you please have a look at it?
One possible solution, someone suggested me was to use redirection logic. Redirect the user to next page. But I really dont think that is feasible and will achieve the requirement.

Finally, if nothing helps, I think we can address the issue.

Regards,
Amol

Someone else may login to that machine.

Nobody should be using a shared account for sensitive data, so that's a somewhat contrived use case.

The password hashing you mention addresses a different problem, it doesn't help with client-side security.

Not sure what you mean by "redirection logic" or how it would help in this case.

Ulf Dittmer wrote:

Someone else may login to that machine.

Nobody should be using a shared account for sensitive data, so that's a somewhat contrived use case.

As I said, we cannot control the user. So need to take care ourselves.

Ulf Dittmer wrote:The password hashing you mention addresses a different problem, it doesn't help with client-side security.

Can you ellaborate the problem which it addresses. Maybe we can use it someway, for some other problem.

Ulf Dittmer wrote:Not sure what you mean by "redirection logic" or how it would help in this case.

Redirection to home page after user submits on login page. This may help as : When user clicks on 'back' from the redirected page, that would be a different request. But still not sure if this will really 'clear' the cache.

As I said, we cannot control the user. So need to take care ourselves.

This doesn't make sense. The client is worried enough about this to be performing a "risk analysis test", yet they don't want to rule out using shared accounts for sensitive data? Are you sure you got that right?

Can you ellaborate the problem which it addresses. Maybe we can use it someway, for some other problem.

Let's not stray from the original topic. If you're interested about that, and the page you read doesn't make sense, then you can ask about it in a different topic.

But still not sure if this will really 'clear' the cache.

It doesn't.

lekurwale amol wrote:Any updates please.

yes surely you can do that but not by disabling or changing anything at browser level ,i have faced a similar kind of problem ,for this issue you have to use certain kind of tokens to uniquely identify each and every request ,and if the same form is resubmitted you can log him out ,but yes this approach comes with a hit that you have to handle it at server level and if he resends then you have to stop him from any processing.

adil qureshi wrote:

lekurwale amol wrote:Any updates please.

yes surely you can do that but not by disabling or changing anything at browser level ,i have faced a similar kind of problem ,for this issue you have to use certain kind of tokens to uniquely identify each and every request ,and if the same form is resubmitted you can log him out ,but yes this approach comes with a hit that you have to handle it at server level and if he resends then you have to stop him from any processing.

Adil,
As I said previously, my concern is not the server. It is the client data stored on client, which I needed to flush. Please go through Ulf's replies and let me know if you can figure out any solution.