A colleague is pushing clearing the client browser's history (i.e. back-button) when they logout of our web application. Is this considered a good practice? It strikes me as a really intrusive. If only conditionally, what conditions need to be in place for this practice to be useful?
- This question might be a better fit for the IT Security SE site.Bernard– Bernard2012-03-28 15:28:20 +00:00Commented Mar 28, 2012 at 15:28
- 14I'd consider a script that does this malware and install a script blocker, if not outright leave it.user7043– user70432012-03-28 15:39:43 +00:00Commented Mar 28, 2012 at 15:39
- 2I think the point is moot since most browsers prevent the activity you are trying to do it is only going to be effective on out of date (IE 5 blocked this so really out of date) and maybe some niche browsers.SoylentGray– SoylentGray2012-03-28 21:04:13 +00:00Commented Mar 28, 2012 at 21:04
- I agree with @Chad, I'm pretty sure it is not possible to clear the browser history from script - not javascript, or an in-browser java app, not flash either. I could be wrong, though.quentin-starin– quentin-starin2012-03-29 04:52:02 +00:00Commented Mar 29, 2012 at 4:52
Add a comment |
3 Answers
Is it critical for the app's functionality? Remember that it can probably be blocked by the user disabling the script, so keep in mind that your app should still be able to handle situations where the history clearing script does NOT run.
Personally, I'd find this sort of behaviour nasty and excessively invasive and intrusive. Who do you think you are, trying to mess with my browser's history on my local machine? Don't do it.
Thinking more carefully, this might be acceptable if the web application is intended to be accessed from browsers running in "kiosk" mode, like in those computers in malls used for product promotions. I think it would be OK here because these aren't the "user's" personal comptuer, but a kiosk that random members of the public will use. But in that case, I'd think that such a requirement arose because of bad design elsewhere in the application. I am really having a hard time thinking of a valid business reason (that doesn't sound suspicious or malicious) that a web application needs to get rid of the browser history, but I'm open to suggestions...
answered Mar 28, 2012 at 15:41
FrustratedWithFormsDesigner
46.3k7 gold badges130 silver badges176 bronze badges
- It's not critical. It would be a quick fix for his implementation of the auth/acl. I'm sure there's a better way.user25791– user257912012-03-28 16:13:29 +00:00Commented Mar 28, 2012 at 16:13
No. I've never heard of anyone doing that and I would prefer if a web app didn't mess with my browsing history. Your coworker must be using a trick like the asker in this question is using to clear the history, but it is IE only.
It sounds like the accepted best practice is to use window.location.replace to keep a page from going into history. See A, B.
Clearing the browser history when the user leaves your application seems to be a pretty good example of security through obscurity. This form is particularly invasive, as you're counteracting an expected function on the users computer.
You should not rely on this technique to secure your application. It should not mater if a malicious knows the URLs that a user visited on your application.
- 1+1, if your app can be compromised by URL attack alone then you've probably got some other fundamental issues.Wyatt Barnett– Wyatt Barnett2012-03-28 17:58:39 +00:00Commented Mar 28, 2012 at 17:58