Telling a browser not to cache, such as with the Cache-Control: no-cache
directive, simply tells it not to reuse the cached data on subsequent requests, but instead, it must re-request the data from the server each time. It says nothing about caching the file locally for off-line browsing, etc.
By the way, I prefer to use the Cache-Control: no-cache
HTTP header rather than specify this in a meta tag because the HTTP header is recognized by and passed through proxies and other caching mechanisms between the server and the browser.
Instead, take a look at the Cache-Control: no-store
and private
directives, which tells the web browser and any shared caching mechanisms, such as proxies, not to store the data.
Note, however, that you can help protect the user's data, but you can't protect them from themselves. There are registry settings that allow a user to override the "no-store" directive in IE.
Perhaps an in-memory solution would be better.