Q. I just used AuthentiX to protect a directory that I've been working on, and I was shocked to find that after it prompted me for a username and password, I could click the browser's "forward" button, then the "back" button and lo! the protected page appears! Is this a security hole?
This is happening because certain browsers will present the contents of the local cache when you navigate this way, i.e. if you had previously loaded the page, and it is in the browsers cache. Clear the cache when a directory is newly protected to see the normal expected behaviour (and the behaviour that visitors will see).
If you want to prevent this behaviour at the server-side, you could set the
<META HTTP-EQUIV="Expires" CONTENT="0"> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Cache-control" CONTENT="private">
directive on each page. However this may have a performance impact, since the pages will not be cached.