I created a admin page that has the login, the menu options, and all the submit forms to insert new queries all on one document. My only problem is say I log myself in and I click on a link to insert a new query. say if I want to go back to the main menu. If I click the back button, i get this...

Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

To resubmit your information and view this Web page, click the Refresh button.

What do I need to do to get rid of this error. so users can click the back button without having security precaution and forms that submit twice

    Why not just create a link that takes them to the previous page?

    Anyway, I think the problem lies in the cache-control header. Try using Firefox and seeing what headers are sent to the client. The cache-control header should have a max-age and other values to it. google for "Cache-Control" and you'll get information. You may want to look at different options. Not sure what's going to work, and what's not. I'm not an IE guy, I use Firefox almost exclusively (my work requires IE to view the schedule).

    But if you download Firefox, and the Firebug extension, you can look at exactly what headers are being sent back and forth and tweak as necessary. Just play around with it a bit. You'll eventually find the proper set.

      Im not to formiluar with Cache Control. This is probably the first time I heard of it. What does it have to do with pressing the back button and the previous page still being displayed.

      Im Using One document. Every piece of Content on that document is wrapped in a IF statement

      The following is not actual script, just a concept of how my pages are setup

      <?php if ($_GET['admin'] == 1){ ?>
             <div id="loginpage">
                     SHOW LOGIN PAGE. IF the password is Valid. then the URL varible admin  is set to 2 and the page is refreshedand the if statement that == 2 is now executed. any other if statements are ignored.
             </div>
      <?php }?>
      
      <?php if ($_GET['admin'] == 2){ ?>
             <div id="Menu">
             <a href="admin.php?admin=3">NEW PRODUCT</a>                                         <a href="admin.php?admin=4">NEW CATEGORY</a>
                     SHOW ADMIN MENU FOR SELECTING STUFF. once again. if a user clicks on a link then the page refreshes with the value of admin == something different.
             </div>
      <?php }?>
      
      
      <?php if ($_GET['admin'] == 3){ ?>
             <div id="NewProd">
                     A form to make a new product
             </div>
      <?php }?>
      
      <?php if ($_GET['admin'] == 4){ ?>
             <div id="NewCategory">
                     Make a new Category
             </div>
      <?php }?>
      

      Now say Im on the login screen. And I sign in. its going to compare my password with the password in MySQL. if all is RIGHT then it is going to set the URL varible ADMIN = 2. the page basically refreshes but this time with the ADMIN varible being 2. so the IF statement that = 2 is going to start functioning. Within those tags, all the menu content is displayed. now lets say I click back to try to go to the login screen again. or lets say I click on a link that sets the URL varible admin to 3 or 4. Its going to refresh the page and the IF statement that = 3 or 4 is going to funciton and display the right kind of content. again lets say I click back. then thats when I get

      Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

      To resubmit your information and view this Web page, click the Refresh button.

      Now if I click refresh then the page appears again. GREAT sweet. But I dont want my users to go through hell or just be plain annoyed by the error messege. Of course i could create a BACK link. But I as a web surfer tend to use the BACK button alot, so I feel that I should make it fair for all the people out there that love using the back button and forward button to navigate pages. Is there any possible way fixing this problem.

      I understand what you are trying to say, its a great tip and all, but before I go that far, I would like to know if there is anything more specific towards fixing this issue.

        Well the cache-control header defines how long the page is valid for. That is, it defines how long the browser can keep the files in it's private cache on your computer before it needs to re-check the site for changes.

        So if you have cache-control not set, IE may be caching the posted information, and thus try to re-post it but it's own security measures catch it. So by setting cache-control to no-cache and set the max-age to 0, then effectively you stop the browser from caching anything on that page. You can read more about Cache-Control header here: [w3.org]

        You would implement it in your PHP page like so:

        <?php
        header('Cache-Control: max-age=0, no-cache, must-revalidate');
        header('Pragma: no-cache');
        
        // The rest of your script...

          I implemented that code on to my document. I logged in and click on a link. then i press back and got

          Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

          To resubmit your information and view this Web page, click the Refresh button.

          The same error message.

            I dont think its cache control. I worked with coldfusion a couple weeks back and never had this problem.

              Have you googled for this? Cache control was my best guess. I don't really care about the pop-ups that a user is going to see if they go back to a POSTed page. Matter of fact, I want them to see that so that they know they may be sending sensitive info again.

              Google Results:
              Shapeshed.com
              Webmaster World
              Google Groups: Back Button POST Issue

              Hope the links help you out. Seems like they all say the same thing, use a header 😉

                ok. but for my situation. all my syntax is written one document like below.

                page1-> Login FORM
                page1-> once submit the page refreshes and checks to see if form has been filled if filled and checks to see if its valid. if valid the content will be displayed and the login form will be gone. if the form is not valid, the login form will still appear on the page and nothing will change.

                page1-> if valid the customer clicks the back button
                page1-> the page refreshes and the error message is displayed

                What I want to know is, How exactly is the form being submited twice. Is the $POST varible still defined from the login content being displayed. Do I have to empty the $POST varible so if the customer clicks back it will see that is defined and try to resubmit it again ??

                  The form is posted twice because that's what a browser does. When you go to a site, your browser sends some header requests to the server. The server then sends a response. Inside the headers is the POST information.

                  Now, when you click "back" all the browser is doing is re-requesting the same page with the same headers. So the POST data is again re-submitted.

                  There are solutions to this:
                  1.) Timestamp your stuff. If it's within the last XX seconds then don't allow it.
                  2.) Utilize two different pages. Send the form via GET to one page, put it in the session, go back to other page. If the session is populated, okay, if not, then show the form.
                  3.) Use Cache-Control: private so that no info is cached.

                  The cache-control private seems like it works. I just did a very basic test, but it seems like it works.

                    Write a Reply...