Take your pages off the internet! Seriously, it is the only way. Anyone with a little knowledge can get the source without the right click and without the view menu. There are programming languages that will easily get the source, Google has a cache (and now Yahoo by the look of it) which can be saved simply, you can save the page off to a file, you can browse the browsers cache.

Disabling the back button is tremendously bad internet practice. I did it by accident once and got several VERY nasty emails.

i jus need it for intranet site and it is necessary for the security.

i jus need it for intranet site and it is necessary for the security.

Again, there is no way to protect the source.

Unless you put everything in an image, or write the entire page in Flash, the browser NEEDS the source to render the HTML page. Once the client machine has the HTML, it's available.

What is so precious that you have to hide it? If you have passwords, etc. in there, then you need to re-write the page.

There is NO way to do this.

If programming is server side - they user never can see the program. So avoid JavaScript where possible and make it all server side. But HTML and CSS can still be seen.

You should consider a software solution... If you really require that type of security, I recommend writing the program in C++ and then compile it. You also need to write a master copy of the program that can accept requests from the standalone copies.

There are also two other ways:
Write your own browser... and your own Web server... and have it serve the pages only to your own browser over the 65535-bit encrypted protocol you just wrote...
Or, allow people to use whatever browser they want... But don't send a page back to them. Instead you can fax them the contents...

The available solutions to these two problems range from possible to circumvent to ludicrously easy. If you really need this sort of thing for "security", then you should realize that any security you're gaining from such techniques is just an illusion.

Better to write the application from the ground up assuming that users can and will view the source and use the back arrow.

Plus, even if you do implement a javascript solution, which is useful at times, I've done that at the request of a client (it works fine, just used to protect company images from joe blow user copying it, obviously as noted here it's completely impossible to block any knowledgeable user from accessing your page data), but that solution isn't supported in Opera, it won't let you do that, and the solution vanishes as soon as the user turns off their javascript in all browsers, but solutions like this do block the average user from accessing your stuff, and the average user does generally account for somewhere in the high 90+% of your sites users.

But it's not the average user that you need to worry about. It's the non average user that will try and view the source, and more often than not, that same non average user is the same person that knows how to get around any blocks you have to viewing source.

There is ABSOLUTELY no way to stop someone from viewing your HTML, images, javascript, etc.

If there are password, you need a server sides solution like PHP, ASP, Perl, Python, etc...

<!--

var message="Function Disabled!";

///////////////////////////////////
function clickIE4(){
if (event.button==2){
alert(message);
return false;
}
}

function clickNS4(e){
if (document.layers¦¦document.getElementById&&!document.all){
if (e.which==2¦¦e.which==3){
alert(message);
return false;
}
}
}

if (document.layers){
document.captureEvents(Event.MOUSEDOWN);
document.onmousedown=clickNS4;
}
else if (document.all&&!document.getElementById){
document.onmousedown=clickIE4;
}

document.oncontextmenu=new Function("alert(message);return false")

// -->
</script>

Note:

I got the above from a site where the right click was disabled ;)

I got the above from a site where the right click was disabled

And it's not very good, is it :) It will make it difficult only for NN4, IE4, and IE5... All other browsers can continue to right-click :)

I think it's important to understand that huge difference between "disable" and "make it as annoyingly hard as possible".

You can never disable it. Just make it more difficult.

Right click blocking is totally useless for protecting images.

Anyone could simply highlight your images and cut and paste onto another application(Work, Excel, Photoshop..etc).

...or open up the page in Mozilla/Opera. Especially in Opera where you can quickly turn off JavaScript :)

I disabled rightclick on my webpage with just one small line of code...no scripting or anything.. but as I have been told..there are many ways to get round it.

"oncontextmenu="return false"

in the code....think its in the <body> section...

Works to disable rightclick...but thats all it does.

Works to disable rightclick...but thats all it does.

...and very poorly at that. It doesn't work in most browsers... and if you turn JavaScript off -- voila!

Disable right click - nice. But does it disable the image toolbar in IE? Ah, so images can still be easily saved. Does it disable File>Save As...? Ah, so the page source can easily be viewed.

All disabling the right click does is annoy users. Most, if not all, the things on the right-click (the shortcut menu) can be done another way.

I don't have a right mouse button... ;)

a mouse without a right button? thats unusual...would make playing computer games interesting...

Hi Pinger, glad to have your first post, hope to see and read more from you.

One thing: personal URLs are not allowed in the forums per the TOS. You might want to edit it yourself before an administrator does.

Yes, your home page is a "mess" to view the source. Nice looking otherwise. As you say, to a casual observer it's unreadable, but a quick download of the tool you mentioned opened it right up. Still, it's better than nothing, and I think I *will* look into it for a project I'm developing that needs to deliver ASP pages in an off-line environment. I don't care about the HTML so much as the business logic in the database calls.

Thanks for the link.

Before this thread was discussing disabling back buttons. I agree that in general this is bad practice. What about in the instance that you have a series of session variables stored and the session times out. Without editing the timeout setting if you want to redirect the user to the home page to reselect their session variables, would it be bad practice to disable the back button here? I would think opening the redirect into a new page and closing the previous page would effectively 'disable' the back button and force the user to reselect their session variables. You could also use the replace funtion or a dummy intermediate page. Are there better ways to do this? Which would be the best?

a mouse without a right button? thats unusual...would make playing computer games interesting...

Not unusual at all... All Macs have one-button mice. And that's how it started...
...even though I always thought Macs didn't have a left button?

---

it's dificult for common user

Oh, that's right... we want to make it more difficult for the average user! Now that's usability. ;)

---

disable (whatever it may be)

What about people who right-click on links to open them in new windows? Or those who right-click to go back to the previous page? Or those who don't use IE? ...or right-click to copy a text snippet? Or select text to print it?

You're trying to tell yourself that you're doing something good, when in reality what you're doing completely messes your page up. You're breaking your page, making it not work... removing the normal behavior.

Besides, if your content (or design) is that awesome... Then you're currently making good money off it... and then you would know that all you really need is a good lawyer and copyright protection.

No matter how you're trying to justify these fishy ways of breaking the visitor's browser -- nothing is a good reason.

---

What about in the instance that you have a series of session variables stored and the session times out. Without editing the timeout setting if you want to redirect the user to the home page to reselect their session variables, would it be bad practice to disable the back button here?

I'm using sessions on tons of pages... and I never disable anything. If they want to click back -- go ahead! If the session times out all the session data gets deleted... So they won't be able to "revive" an old session anyway...

Don't break the browser -- Provide a solution instead

I'm sure there are better ways to do it, but the way it's set up now, the user will click the back button and doesn't realize they have to recreate their data query. So they click on links and get timeout errors. It just seems to make more sense, when their session times out, to redirect them to the home page so they can recreate their query. And some users don't realize why they've been redirected. So they try to go back. I'm sorry if I'm missing the point. I understand that disabling capabilities is not the greatest solution. I am just trying to understand what a better way to help users would be in this instance.

As soon as the session times out, or if the user requests an old session -- just display a page with big letters stating "This login has expired. Please log in again." If they click back you redirect to this page as well...

True, if you allow your pages to be cached this won't help, since clicking back will just serve up the cached page... So you need to disable caching for session related pages.

Unfortunately we don't have control over our server. The webdesk controls that and they make those decisions. So we're fairly limited. Thank you for all your help though!

the user will click the back button and doesn't realize they have to recreate their data query.

That's just lazy programming. When the user submits form data, you need to capture that data. When I go back, I expect the data to be there.

On most of the big sites, ebay, amazon, priceline, etc. they do this. I wrote this into my web applications as well.

Rather than break the browser, write the code so it works like you want it to work.

Unfortunately we don't have control over our server.

You don't need control over the server to do any of the above things...
All you need control over is the pages...