A web browser typically caches pages, so when you use the back arrow to go back to previous pages the local cache is used rather than getting the page again from the server. In the case of web forms, my security auditor tells me this is a vulnerability to the user. For example, an anonymous user fills out a web form on my site successfully, is sent to the confirmation page, everything is fine. The anonymous users walks away, someone else gets on the browser, hits the back arrow - and then sees the entire form that was just submitted with all the text the user typed in. This isn't Drupal's fault or Webform's fault - it's the user's fault for not closing the browser. But still, my security team wants me to fix it so this will not happen.

My understanding is that if I put these two lines in the <head> section of the form's page it will take care of the problem, by forcing a refresh from the server if someone goes back to a page with a form on it:

<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">

I've got a dozen or two forms on my Drupal 6 site using Webform module - how can I force the above stuff to go into the <head> section of the pages that contain the forms? Or is there some other way to ensure that the "back arrow" will not reveal the contents of a form that has been submitted?

THANKS!!!!

Comments

quicksketch’s picture

Status: Active » Fixed

Hi there, this isn't a question that's really Webform-specific. However you can do this by making a page-node-[nid].tpl.php for your Webform URLs, or you can override the webform-form.tpl.php file in your theme (see THEMING.txt that comes with the module). Then use Drupal's drupal_set_html_head function to add extra markup to the HEAD section of the page.

Automatically closed -- issue fixed for 2 weeks with no activity.