Expire the page after submission

I'm implementing an iAuth form for a credit application in a J2EE container (JSTL+JSP+Stripes). The vendor states in the implementation guide:

Expire the “Questions” page after answers submission

When performing iAuth transactions you will need to “expire” the page on which the consumer's questi开发者_开发百科ons will be displayed after they have submitted their answers. This is crucial in order to prevent a consumer from using the "back" button to modify their answers after they have already submitted them once and found that their authentication attempt was unsuccessful. Once the answers to a question set have been transmitted to vendor, that question session is closed. Any additional attempts at modifying the answers to the same question set will result in an "invalid transaction-continue" response.

I am unsure what this means.

Are "they" suggesting just setting "Cache-Control" and/or "Pragma" headers on the form page?

---

Well you can use HTTP related techniques to expire pages. But those methods are rather what I consider "soft" techniques.

To better secure your system, you may want to follow this kind of server-side implementation:

Page A refers to the page that goes to the Form Page and Page B is the controller which receives the information posted by Form Page.

1. User visits Page A
2. Page A determines that the Form Page should be viewable to User
3. Page A creates a session variable A and sets it to true
4. Page A shows a link, or redirect the User, to Form Page
5. Form Page determines whether User can view the page by checking session variable A
6. Form Page displays the form.
7. User enters the information and submits the form
8. Form Page post data to Page B
9. Page B receives the information, validate, and delete session variable A

Of course it can be even more complex with time checking (whether the User took too long from Page A to Form B, or took merely a second to submit Form Page to Page B).

When it comes to security in networking: Server side > Client Side