logout not working, caching on nginx, how to allow logout?

Question

I have everything cached, if I logged into my account, you will not be able to log out any more) how do you get out when you quit? i need to know how to delete cookies and session! when i'll logout!

P.S. if i'll disable caching on nginx level, everything works fine, problem in nginx

nginx conf

    gzip on;
    gzip_disable "msie6";

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    proxy_connect_timeout 5;
    proxy_send_timeout 10;
    proxy_read_timeout 10;
    proxy_buffering on;
    proxy_buffer_size 16k;
    proxy_buffers 24 16k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;

    proxy_temp_path /tmp/nginx/proxy_temp;
    add_header X-Cache-Status $upstream_cache_status;
    proxy_cache_path /tmp/nginx/cache levels=1:2 keys_zone=first_zone:100m;
    proxy_cache one;
    proxy_cache_valid any 30d;
    proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;

server conf

upstream some site {
  server unix:/webapps/some/run/gunicorn.sock fail_timeout=0;
}

server {
    listen   80;
    server_name server name;
    expires 7d;
    client_max_body_size 4G;

    access_log /webapps/some/logs/nginx-access.log;
    error_log /webapps/some/logs/nginx-error.log;
    error_log /webapps/some/logs/nginx-crit-error.log crit;
    error_log /webapps/some/logs/nginx-debug.log debug; 
    location /static/ {
        alias   /webapps/some/static/;
    }

    location /media/ {
        alias   /webapps/some/media/;
    }
    location ~* ^(?!/media).*.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
        root root_path;
        expires 7d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
    }    
    location ~* ^(?!/static).*.(?:css|js|html)$ {
        root root_path;
        expires 7d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
    }     

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_cache one;
        proxy_cache_min_uses 1;
        proxy_cache_use_stale error timeout;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://some;
            break;
        }
    }
    error_page 404 /404.html;
    location = /error_404.html {
        root /webapps/some/src/templates;
    }

    error_page  500 502 503 504 /500.html;
    location = /error_500.html {
        root /webapps/some/src/templates;
    }
}

Answer 1

Instead of logging out with a GET request, change your logout view to accept a form POST.

POST requests should not be cached.

This has the added security benefit of preventing users from being logged out with iframes or malicious links (ie: https://example.com/logout/, assuming you have not disabled django's CSRF protection).

Note: there is a ticket on django's bug tracker related to this issue.