How to skip history of visted page in browser

Due to some security constraints, there is requirement that the page visited should not be listed in browser's history.

So the pages need not to be shown in the history at all.

I have tried following ways but failed.

Solution 1:

1. <%
2. session.invalidate();
3. response.setHeader("Ca开发者_运维问答che-Control","no-cache");
4. response.setHeader("Cache-Control","no-store");
5. response.setDateHeader("Expires", 0);
6. response.sendRedirect("home.jsp");
7. %>

Solution 2:

<%
Response.Cache.SetExpires(DateTime.Parse(DateTime.Now.ToString()))
Response.Cache.SetCacheability(HttpCacheability.Private)
Response.Cache.SetNoStore()
Response.AppendHeader("Pragma", "no-cache")
%>

Solution 3:

<body onload="history.forward()">

Solution 4:

<%
response.setDateHeader("Last-Modified", System.currentTimeMillis());
%>

Like in Firefox, there is functionality Tools -> Start Private Browsing which doesn't store any session data. Is there anything that can be done by JavaScript to achieve this.

You can't rely on client side when security matters. All browsers have different implementation for history. You should rely on a server side solution.

You cannot do it using all above four ways.

The only thing you can do it put your URL such that its unique and can't be revisited as per your requirement.

This behavior is under the control of the browser and not the server, so your options are very limited.

One way to achieve it is to create a page on site A which just contains an iframe that loads the content of the site which you don't want to see in the browser history.

But it will still be brittle. Users can use "Open Link in new window/tab" to break out of your shell.

If you have access to the clients, one solution is to install the browsers with history turned off in the settings plus restrict access to the browser preferences so users can't change this option.

You can't affect the browser's history mechanism. The best thing you can do is make sure the page has not been cached and possibly "disguise" it by making the URL random gibberish that has no meaning.

http://wiki.apache.org/struts/BrowserBackAndSecurity#Data_Caching_vs._Browser_Session_History

This smells of "security by obscurity". You should tackle the real problem (sensitive data in URLs) instead of obfuscating your way around it.

Just make it so that URLs don't contain any sensitive information (and please don't do it by wrapping the entire page in an iframe - this again is just a bit of obfuscation).