Hi, All:

I am trying to disable the browser Caching for certain pages such as MyAccount.aspx etc by adding, "Response.Cache.SetCacheability(HttpCacheability.N oCache)" to MyAccount page's load event. For testing, I loggin and open MyAccount page, then I logout, it rederict me to defult page. Here, if I hit browser back button, I expected My Account page will NOT be reload from client cache. However, I encounted some problems as follows:

1. "Response.Cache.SetCacheability(HttpCacheability.N oCache)" doesn't work in Firefox (v1.06), the MyAccount page still can be reloaded by clicking "back" button after logging out.

2. For IE, it works, but when I hit the "back" browser button after logging out from MyAccount page, instead of showing "page has expired", the page show error message as follows:

"An unexpected error has occurred on this page. The system administrators have been notified. Please feel free to contact us with the information surrounding this error.
The error occurred in: http://localhost/ThePhile/Modules/Users/MyAccount.aspx
Error Message: Specified cast is not valid.
--------------------------------------------------------------------------------
Stack Trace:
System.InvalidCastException: Specified cast is not valid. at Wrox.ThePhile.Web.Modules.Users.MyAccount.Page_Loa d(Object sender, EventArgs e) in c:\wrox\thephile\modules\users\myaccount.aspx.cs:l ine 103 at System.EventHandler.Invoke(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain()"


My code line 103 is :
 "if ( ((PhilePrincipal)Context.User).Roles.Count > 0 )"

My question is: If hitting "back" button just loads cached page (it should not exists in the case of setinng NoCache), why this code line 103 still excuted? And how to handle it to showing a user a "useful info" not the error message?
-----------------------------------------------------------------

3. Another question ( I didn't find this topic on the forum) is how to modify the authentication system as follows:

 when a user open the thePhile site, the site will remembers him and will show personalized welcome info( just like this original project implemented"), but if this user try to view some sensitive pages such as: MyAccount page, I want to force this user to re-supply his password again each time no matter what permission were given to this user before. (Many big e-commerce company like Amazon, eBay implemented this kind of security system.)

The original thePhile project was designed in this way, if an user close the browser without signout and then open it again, thePhile website will remmember this user (this is for personalization purpose), however,the problem is that this user still can view My Account page without needing providing his password again as long as he didn't explicitly sign out last time because the program only checks "FormAuthenticationCookie" and "user's permisstion".

How do we secure certain pages while still maintianing the personalization feature?

Any ideas? I really appreciate it if you can help me out!

Gary