Problem forcing pages not to cache.

damiensawyer · May 22, 2008

Hi,

I have a requirement to ensure that pages do not store anywhere in the
browser cache. Essentialy, when the user hits logout, the information
they've been reading needs to be completely innaccesable.

I have done a bit of Googling and found articles suggesting the
following HTTP-EQUIV meta tags. The page loads and validates via WC3,
however fails to secure the content.

I'm testing in Firefox 2 by opening the below file from a local disk.
I then leave the page, set the browser to 'work offline' and open the
file from 'history'. The page appears in full. I have also tested the
file served via http from a web browser to the same result.

Can someone please tell me what I'm doing wrong?

Thanks in advance,

Damien

------ HTML File ----------

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="TEXT/HTML;
CHARSET=WINDOWS-1250">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE; NO-STORE;
PRIVATE; MUST-REVALIDATE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> 
<META HTTP-EQUIV="EXPIRES" CONTENT="-1">
<title>Sample Document which should not be stored in browser cache</
title>
</head>

<body>
This is a sample expired Document
</body>
</html>

Jukka K. Korpela · May 22, 2008

Scripsit (e-mail address removed):

I have a requirement to ensure that pages do not store anywhere in the
browser cache.

It cannot be guaranteed. However, the tags you have used are a
reasonable attempt. Any browser that refuses to honor any of them won't
listen to you anyway as regards to caching. It wouldn't hurt, however,
to try to do cache control at the level where it logically belongs,
namely HTTP level, in HTTP headers. In particular, this could be
effective against some proxy caches (which won't even look at any <meta>
tags). Check the classic reference, "Caching Tutorial for Web Authors
and Webmasters", http://www.mnot.net/cache_docs/

Essentialy, when the user hits logout, the information
they've been reading needs to be completely innaccesable.

This cannot be guaranteed, of course. In particular, you cannot erase it
from the user's mind, or print copies, or locally saved copies.

I have done a bit of Googling and found articles suggesting the
following HTTP-EQUIV meta tags.

There are some mistakes and questionable features in them. For example,
Cache-Control header uses, by the protocol, commas and not semicolons as
separators.

The page loads and validates via WC3,
however fails to secure the content.

Validation is just formal and says nothing about the correctness of the

contents in the said:
I'm testing in Firefox 2 by opening the below file from a local disk.

I would not expect a browser cache local files anyway, by default. What
would be the point?

I then leave the page, set the browser to 'work offline' and open the
file from 'history'. The page appears in full. I have also tested the
file served via http from a web browser to the same result.

So what? The history is a collection of URLs, and when you open
something via the history, the browser accesses the resource by its
normal rules. This includes reading it from disk if it is local, as well
as requesting it via HTTP when its logic so requires (that is, the page
is not in the cache or the caching information tells that the cached
copy is to be treated as expired).

Holger Suhr · May 22, 2008

Hi,

I have a requirement to ensure that pages do not store anywhere in the
browser cache. Essentialy, when the user hits logout, the information
they've been reading needs to be completely innaccesable.

I have done a bit of Googling and found articles suggesting the
following HTTP-EQUIV meta tags. The page loads and validates via WC3,
however fails to secure the content.

I'm testing in Firefox 2 by opening the below file from a local disk.
I then leave the page, set the browser to 'work offline' and open the
file from 'history'. The page appears in full. I have also tested the
file served via http from a web browser to the same result.

Can someone please tell me what I'm doing wrong?

Thanks in advance,

Damien

------ HTML File ----------

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="TEXT/HTML;
CHARSET=WINDOWS-1250">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE; NO-STORE;
PRIVATE; MUST-REVALIDATE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> 
<META HTTP-EQUIV="EXPIRES" CONTENT="-1">
<title>Sample Document which should not be stored in browser cache</
title>
</head>

<body>
This is a sample expired Document
</body>
</html>

Do you want to force the browser to _load_ the content from the
server at _every_ time,
or do you want to leave never any cache content
at the client, even after only one visit of your page?

Holger

damiensawyer · May 23, 2008

.....

Thanks heaps Jukka for a great post. That was really useful.

DS

damiensawyer · May 23, 2008

Do you want to force the browser to _load_ the content from the
server at _every_ time,
or do you want to leave never any cache content
at the client, even after only one visit of your page?

Hi.

Basically the second. It's more about security of the information
stored in the pages.

Cheers,

DS

Script stops working when using variables to save time typing...	4	Oct 31, 2022
About as basic "Newbie-Question" that you can get.	3	Sep 4, 2023
Not sure why drop-down is not working.	2	Mar 24, 2024
External html	2	May 13, 2020
How to have two html audio players on one page?	0	May 3, 2022
Uncaught ReferenceError: item is not defined at HTMLButtonElement.onclick in the: <button onclick="item.inserir()">Inserir dados</button>	1	Apr 22, 2023
JavaScript code not working!!	6	Jun 13, 2023
How to check the validation of js files or html files including js?	6	Jan 12, 2020

Problem forcing pages not to cache.

damiensawyer

Jukka K. Korpela

Holger Suhr

damiensawyer

damiensawyer

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads