[albatross-users] Authentication/Login example for RandomModules

Sheila King sheila at thinkspot.net
Mon May 26 14:01:04 EST 2003 

--On Monday, May 26, 2003 10:26 AM +1000 Gregory Bond <gnb at itga.com.au> 
wrote:

>> I noticed something about my app the other night, that I didn't like:
>> If I log out and then use the browser's Back button, it takes me back
>> to the Main Account page. This is because the page is cached. However,
>> I would prefer if it were not possible to do that.
>
> Back buttons are the bane of stateful Web apps, no matter how they are
> implemented.  I've not found any easy answer to this, apart from train
> the  users to "don't do that!" (Easy for me, only a handful of users....)
>
> I'd love a better answer. (I'm using SessionFileApp and Page Objects.)
>

I have something that seems to be working pretty well for me right now.

A live version will be temporarily available here:
http://www.mathxy.com/cgi-bi/temp/myapp.py

The code is (temporarily) in this directory:
http://www.mathxy.com/temp/

It does have lots of debugging statements and stuff. Code is really not 
cleaned up for publication. But anyhow...

If I log in with valid username/password (one such login is guest/guest), 
it takes me to main account page. If I log out and then do back button, it 
is giving me the Expired session page, as I desire, instead of the 
'myaccount' page as it did in the version I previously published.

I've accomplished this by overriding the write_headers() function as 
follows:

    def write_headers(self):
        SessionFileAppContext.write_headers(self)
        self.request.write_header('Expires', 'Thu, 19 Nov 1981 08:52:00 
GMT')
        self.request.write_header('Cache-Control', \
              'no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0')

I just copied these headers from another login page that I sometimes visit 
which I know defeats the back-button thing for revisiting your account page 
after you've logged out.

The one weird thing about it that I just noticed...

In Mozilla 1.3 it seems to behave for me as I expect. However in IE 5.0, it 
continues to always display the 'myaccount' URL in spite of the fact that 
I've called a 'redirect' in the code to expired or login or the like. I 
will review it on IE 6.0 later, when I use a different computer. I haven't 
tested it in any 4.x or older browsers, nor Opera, nor any *nix browsers (I 
only have Windows machines at home, and only access to Linux by telnet).

Anyhow, FWIW...

-- 
Sheila King
http://www.thinkspot.net/sheila/
http://www.k12groups.org

More information about the Albatross-users mailing list