[BangPypers] back button issues with session handling in flask
Kiran Jonnalagadda
jace at pobox.com
Sat Sep 7 22:41:26 CEST 2013
On Saturday, 7 September 2013 at 9:59 PM, Adivandhya wrote:
> Hello guys,
> Im making my own login module in flask, and Im now facing this problem pertaining to browser caching.
> Aftera user signout (by setting the session["logged_in"] =False or even doing session.clear() ) ,if i press the back button on the browser, i still can see my homepage(which is suppose to be seen only when logged in). There are a few constraints while dealing with this problem, first being i do not want to totally disablebrowser caching as i believe it is important for efficiency of the website ,
> and second being i cannot use other extensions like flask-login etc, as im trying to make it on my own.
> How do i resolve this problem within the constraints ?
>
>
What are the risk factors in allowing the Back button to work?
1. The user cannot perform any restricted actions from this page since all subsequent requests to the server will be unauthenticated.
2. If the user closes the tab/window, navigation history is discarded, so there's no risk of user B with physical access being able to see a logged in page of user A.
Unless you are building a banking website which is specifically designed to harass users, I wouldn't worry about this.
You should, however, use HTTP status 303 instead of 301/302 to redirect the browser after POSTing a form. 301/302 is the primary reason for users accidentally submitting forms when they hit Back, since browsers consider 301/302 as a single page in navigation history, while 303 registers twice.
Kiran
More information about the BangPypers
mailing list