Is it possible to force the browser to close upon logout?

The reason we are asking if this is possible is due to a potential security
breach of our vBulletin Discussion Forums.

Basically, when a user logs out, the previously viewed pages are still
cached and fully available simply by clicking the 'Back' button. I was able
to see the forums, structure, postings, even the text of sent Private
Messages... Of course all the links were dead, however the fact that the
information is still viewable is a problem.

In addition, after logging-out, the confirmation screen had a 'forum jump'
drop-down box that displayed the entire structure of the forums. This is
also a problem.

If forcing a browser close upon logout would be difficult, is there
another way to prevent the above from breaching the security of our
Discussion Forums? The seriousness of this potential security breach could
cause many of our users to be too uncomfortable to use the forums actively.

Thank you in advance...

Aloha,

Dan

Is it possible to force the browser to close upon logout?

The reason we are asking if this is possible is due to a potential security
breach of our vBulletin Discussion Forums.

Basically, when a user logs out, the previously viewed pages are still
cached and fully available simply by clicking the 'Back' button. I was able
to see the forums, structure, postings, even the text of sent Private
Messages... Of course all the links were dead, however the fact that the
information is still viewable is a problem.

In addition, after logging-out, the confirmation screen had a 'forum jump'
drop-down box that displayed the entire structure of the forums. This is
also a problem.

If forcing a browser close upon logout would be difficult, is there
another way to prevent the above from breaching the security of our
Discussion Forums? The seriousness of this potential security breach could
cause many of our users to be too uncomfortable to use the forums actively.

Thank you in advance...

Aloha,

Dan
Try enabling no-cache headers.

Closing the browser will not do anything unless their Browser is made to clear all history on exit.

Thank you for the very fast reply Zachery!

I am not quite sure what you mean by 'enabling no-cache headers'. How does one do that and what does it do? (I am a bit of a newbie at this)

I figured that if there was a way to at least close the browser window, casual users would be deterred from exposing anything potentially sensitive. If the window was closed, they would have to know how / where to view the cache instead of merely hitting the 'back' button.

Perhaps a combination of both closing the window and enabling the no-cache headers?

I am not quite sure what you mean by 'enabling no-cache headers'.
AdminCP->vBulletin Options->Cookies and HTTP Header Options->Add No-Cache HTTP Headers: Yes

How does one do that and what does it do? (I am a bit of a newbie at this)
It will tell your browser not to cache pages. (so it will also increase the load on your webserver)

AdminCP->vBulletin Options->Cookies and HTTP Header Options->Add No-Cache HTTP Headers: Yes


It will tell your browser not to cache pages. (so it will also increase the load on your webserver)
Its not so much of load Marco, more bandwidth than anything. However he does not want people viewing his forums cached so I see no alterntigve.

You are right, it is more a bandwidth issue, but he asked for an explanation and tried to explain as simple as possible.

MarcoH64 & Zachery,

Thank you both very much for the guidance and easy-to-understand explanation.

I will speak to our System Administrator and have him implement your suggestion immediately.

Just out of curiosity, will this also clear the issue of, after logging-out, having the 'Forum Jump' Drop-Down Box display the entire structure of the forums?

Thank you again and Aloha,

Dan

The forum jump box respects the permissions set for each usergroup, so you will have to check the permissions on guests

It seems that this has not solved our issue. I am still able to use the 'Back' button of the browser to view everything viewed and posted. I even tried closing the browser and rebooting the computer - when I log back in, poke around, and log out, I can see everything via the 'back' button.

Also, the 'Forum Jump' box reflects the permissions of the user that just logged out. For example, after I log out, it shows the forum structure to which I have access. If I log in as a test user, after logging-out, the 'Forum Jump' box shows the forum structure to which that account has access.

Even though the jump links are dead until a user logs in again, the display of the structure is something we would like to avoid.

Unless there is a way to make sure this doesn't happen, is there a way to force the browser to close upon logout in addition to setting the No-Cache HTTP Headers to 'yes'?