After logout, if I push back button I can see the last page which requires login

Question

I have devise configured in my web application. I have problem with the following workflow:

For accessing admin panel I need to login. After that I navigate to admin panel of my web app normally. When I click logout it redirects me to the root page which is the behavior I want so far.

The strange thing starts when in this page and after the above actions I click browser's back button which is showing me the cached last page I was. My session has been destroyed because if I click refresh it redirects me and it mentions to login to access the page, but I don't want to be able to see the last history page of the browser.

How is this possible and what can I do to prevent it? It has to do with browser caching right? The only way to fix it is to remove the caching from the logged in pages for preventing this behavior? How can I do that?

Answer 1

You want to set the headers of your page to prevent caching. You can do that like so:

  before_filter :set_cache_buster    def set_cache_buster     response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"     response.headers["Pragma"] = "no-cache"     response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"   end 

Credit goes to the first response of this thread.

Answer 2

You can attempt to tell the browser not to cache stuff but that's what it is - an attempt.

If they viewed the page previously there is little you can do to enforce not being able to see the page again - it is somewhat out of your control at that point.

For instance, than can download the HTML of the page (which is what they are doing when they view the page) and you also can't stop them from taking say, a screenshot.

That said browser caching will work in some (most?) cases, refer to Michael Frederick's answer.