I have an application that can be used without authentication on computers in public locations. It’s a simple four page application that allows users to apply for a marriage license. Some offices will have a public computer kiosk where applicants can fill out their own information before proceeding to the clerk. They can also do so at home before visiting the office. What considerations should I take to make sure that a user cannot get access to the previous user’s input? Some form data will contain sensitive info such as DOB, SSN and Mother’s Maiden Name.

1. Disable AutoComplete

So far, I’ve set autocomplete=false in my Master page form tag.

<form id="frmMain" runat="server" autocomplete="false">

2. Disable Page Caching

I’ve also been able to disable page caching in IE and FF, but cannot do so in Safari and Chrome. Anybody know the trick? Hitting the back button still shows the form-filled data in Safari and Chrome.

// Disables page-caching in IE
Response.Cache.SetAllowResponseInBrowserHistory(false);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Response.Expires = 0;

// HACK: fixes Firefoxes cache issue
Response.AddHeader("ETag", new Random().Next(1111111, 9999999).ToString());

3. Manage the session

I’ve also implemented a timer on each page that will kill the session after n number of minutes. The session holds the current application ID with which the pages use to load previously entered data. They can get more time by clicking a button. When the timer is up, it redirects back to the main page where I kill the session in Page_Load. I also redirect to this page when the users click the “Finished/Submit” button. Once the session is killed, navigating to the pages by URL will never load the previous application. It’ll be treated as a new one.

protected void Page_Load(object sender, EventArgs e)
{
   if (!IsPostBack)
     Session.Abandon();
}

4. what else should I do?

Your awesome suggestions/tips here