How to expire an ASP.NET page?

[Scott Shuster]

Hi,

I've been searching and testing and have not yet found the answer I'm
looking for.

I have an ASP.NET (vb) application with an ecommerce function. When
the user submits the page, I DON'T want them to be able to click on the
'BACK' button and get back to the form - they may inadvertently
re-submit the page and get charged again. I WANT them to get the "Page
has expired" message.

I used to be able to do something like this with the META "Expires" tag
in classic ASP, but that doesn't seem to work with .NET.

I've tried...

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Expires = 0
Response.Cache.SetNoStore()
Response.AppendHeader("Pragma", "no-cache")

....in my Page_Load but the most they've been able to do is clear out
the form. They will not force the "Page is expried", which is what I
want.

Can someone please give me the definitive answer on manually expiring a
web form page in ASP.NET?

Thanks,

ShusteS

 

[tdavisjr]

The things that you have already tried are legitimate, however, you must
understand that browsers still do what they want to do and cache content
locally and not respect the HTTP headers that are sent down. I'm not sure if
there is any more you can do.

 

[John Timney \(MVP\)]

I'm guessing at the code - but try:

Response.Cache.SetExpires(DateTime.Parse(DateTime.Now.ToString()))
Response.Cache.SetCacheability(HttpCacheability.Private)
--
Regards

John Timney (MVP)

 

[Scott Shuster]

Hi,

Thanks for the post.

I have tried everything, including this suggestion, and the most that
it will do is clear out the form (cache) so that when the user clicks
on the BACK button, the form is empty.

Nothing I've done has actually expired the form so that the page won't
show at all, which is what I'm trying to acheive.

Thanks,

Scott Shuster

 

[Joerg Jooss]

Thus wrote Scott,

Hi,

I've been searching and testing and have not yet found the answer I'm
looking for.

I have an ASP.NET (vb) application with an ecommerce function. When
the user submits the page, I DON'T want them to be able to click on
the 'BACK' button and get back to the form - they may inadvertently
re-submit the page and get charged again. I WANT them to get the
"Page has expired" message.

Generally speaking, that's impossible. The HTTP 1.1 spec clearly says:

"History mechanisms and caches are different. In particular history mechanisms
SHOULD NOT try to show a semantically transparent view of the current state
of a resource. Rather, a history mechanism is meant to show exactly what
the user saw at the time when the resource was retrieved.

By default, an expiration time does not apply to history mechanisms. If the
entity is still in storage, a history mechanism SHOULD display it even if
the entity has expired, unless the user has specifically configured the agent
to refresh expired history documents."

Many browser do handle the concepts "history list" and "local cache" as one
entity, others don't. Some even change their behavior depending on specific
Cache-Control headers or the use of HTTPS.

I used to be able to do something like this with the META "Expires"
tag in classic ASP, but that doesn't seem to work with .NET.

If whatever you've tried to achieve with a META tag worked for you in ASP,
it will work in ASP.NET as well. This is a client specific behavior.

I've tried...

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Expires = 0
Response.Cache.SetNoStore()
Response.AppendHeader("Pragma", "no-cache")

To prevent caching, the first line usually suffices.

But in an internet scenario where you have no control over your users' browsers,
this approach is bound to fail. If you want to prevent duplicate form submits,
either

a) use redirect-after-post -- after processing the form submit, use HttpResponse.Redirect()
to send the user to the next page. The browser will only record the redirect's
GET in its history, not the POST. The drawback of this approach is another
roundtrip to the client for each form submit.

b) use a synchronizer token. Each web form includes a token (e.g. a GUID
or random number) that can be used only for one form submission. If you receive
a post back with an unexpected token, you can handle the duplicate submission
as you see fit. Here's a sample implementation: http://tinyurl.com/lnx9w.
The drawback of this approach is that some browser will warn the user of
duplicate form submission, which many wrongly think of as an error message.
Thus, the user experience isn't really great: The user clicks back, thr browser
displays a warning, the user submits again away, and finally the application
displays a warning or an error after detecting the duplicate submisson --
that's not really nice.

Cheers,

 

[itskbalaji]

Disabling the back button

Hi,
this same problem i also had. though there are a lot of ways to disable the back button, it is advisable not to play with browser.

So in my original page i wrote a javascript as document.history.forward(1) which will prevent the user from seeing that page again.

Regards
Balaji

Hi,

I've been searching and testing and have not yet found the answer I'm
looking for.

I have an ASP.NET (vb) application with an ecommerce function. When
the user submits the page, I DON'T want them to be able to click on the
'BACK' button and get back to the form - they may inadvertently
re-submit the page and get charged again. I WANT them to get the "Page
has expired" message.

I used to be able to do something like this with the META "Expires" tag
in classic ASP, but that doesn't seem to work with .NET.

I've tried...

Page.Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Expires = 0
Response.Cache.SetNoStore()
Response.AppendHeader("Pragma", "no-cache")

....in my Page_Load but the most they've been able to do is clear out
the form. They will not force the "Page is expried", which is what I
want.

Can someone please give me the definitive answer on manually expiring a
web form page in ASP.NET?

Thanks,

ShusteS

 

[gladiator]

Scott,

What you had it should work.

Page.Response.Cache.SetCacheability(HttpCacheabili ty.NoCache)
Response.Expires = 0
Response.Cache.SetNoStore()
Response.AppendHeader("Pragma", "no-cache")

Make sure the codes are placed in the Page_Load section of the your page. Then, add some logic to post back the SAME page for user to preview the info before final submitting. Then, take them to the Thank you page or whatever... which shoul be code within the SAME page, too. After all that, if user hit the back button, it would give them the Expired page error. Try it and let me know.

Have Fun...

:thrasher: