After logout, if I push back button I can see the last page which requires login

Question

I have devise configured in my web application. I have problem with the following workflow:

For accessing admin panel I need to login. After that I navigate to admin panel of my web app normally. When I click logout it redirects me to the root page which is the behavior I want so far.

The strange thing starts when in this page and after the above actions I click browser's back button which is showing me the cached last page I was. My session has been destroyed because if I click refresh it redirects me and it mentions to login to access the page, but I don't want to be able to see the last history page of the browser.

How is this possible and what can I do to prevent it? It has to do with browser caching right? The only way to fix it is to remove the caching from the logged in pages for preventing this behavior? How can I do that?

You may check this two links: [1][1] and [2][2]. [1]: http://stackoverflow.com/questions/4120289/how-to-clear-browser-cache-after-user-logout-to-prevent-access-to-private-info-v [2]: http://stackoverflow.com/questions/711418/how-to-prevent-browser-page-caching-in-rails — tiktak, Jul 03 '12 at 10:35

score 59 · Accepted Answer · edited May 23 '17 at 12:26

59

You want to set the headers of your page to prevent caching. You can do that like so:

  before_filter :set_cache_buster

  def set_cache_buster
    response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
    response.headers["Pragma"] = "no-cache"
    response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
  end

Credit goes to the first response of this thread.

edited May 23 '17 at 12:26

Community

1
1

answered Jul 03 '12 at 17:20

Michael Frederick

16,664
3
43
58

Hello, in witch controller? – Zakos Jan 26 '15 at 10:52
In ApplicationController – inquisitive Feb 06 '15 at 06:03
7

What happens if I only want to no-cache after logout? I think this will remove cache after every requests. What's about assets, it will be removed? – fabricioflores May 10 '15 at 17:16
Hey, just want to ask if this is applicable to all browsers, or is this browser specific? – Fakipo Sep 09 '22 at 23:53

Scott Schulthess · Answer 2 · 2012-07-05T17:51:24.870

You can attempt to tell the browser not to cache stuff but that's what it is - an attempt.

If they viewed the page previously there is little you can do to enforce not being able to see the page again - it is somewhat out of your control at that point.

For instance, than can download the HTML of the page (which is what they are doing when they view the page) and you also can't stop them from taking say, a screenshot.

That said browser caching will work in some (most?) cases, refer to Michael Frederick's answer.

score 3 · Answer 3 · edited May 23 '17 at 10:29

3

this has definitely to do with caching. You have to set the appropriate HTTP headers accordingly. This probably has the answer you need: How to prevent browser page caching in Rails

Johannes

edited May 23 '17 at 10:29

Community

1
1

answered Jul 03 '12 at 10:31

Johannes Fahrenkrug

42,912
19
126
165

After logout, if I push back button I can see the last page which requires login

3 Answers3