How to prevent browser page caching in Rails
Asked Answered
A

6

158

Ubuntu → Apache → Phusion Passenger → Rails 2.3.

The main part of my site reacts to your clicks. So, if you click on a link, it will send you on to the destination, and instantly regenerate your page.

But, if you hit the back button, you don't see the new page. Unfortunately, it's not showing up without a manual refresh; it appears the browser is caching it. I want to make sure the browser does not cache the page.

Separately, I do want to set far-future expiration dates for all my static assets.

What's the best way to solve this? Should I solve this in Ruby on Rails? Apache? JavaScript?


Alas. Neither of these suggestions forced the behavior I'm looking for.

Maybe there's a JavaScript answer? I could have Ruby on Rails write out a timestamp in a comment, and then have the JavaScript code check to see if the times are within five seconds (or whatever works). If yes, then fine, but if no, then reload the page?

Do you think this would work?

Apollyon answered 2/4, 2009 at 20:13 Comment(2)
What is the context of the first line? Your site? Something in Ubuntu? What is "Phusion Passenger"?Goddaughter
Phusion Passenger is an app server. It was pretty popular back then, I don't know if it's still widely used.Apollyon
A
347

I finally figured this out - http://blog.serendeputy.com/posts/how-to-prevent-browsers-from-caching-a-page-in-rails/ in application_controller.rb.

After Ruby on Rails 5:

class ApplicationController < ActionController::Base

  before_action :set_cache_headers

  private

  def set_cache_headers
    response.headers["Cache-Control"] = "no-cache, no-store"
    response.headers["Pragma"] = "no-cache"
    response.headers["Expires"] = "Mon, 01 Jan 1990 00:00:00 GMT"
  end
end

Ruby on Rails 4 and older versions:

class ApplicationController < ActionController::Base

  before_filter :set_cache_headers

  private

  def set_cache_headers
    response.headers["Cache-Control"] = "no-cache, no-store"
    response.headers["Pragma"] = "no-cache"
    response.headers["Expires"] = "Mon, 01 Jan 1990 00:00:00 GMT"
  end
end
Apollyon answered 14/4, 2009 at 17:40 Comment(10)
Should this be wrapped in a "if request.xhr?" so it only gets set on ajax refreshes but the normal pages do not?Colophony
@Smickie I've done exactly that. I only needed my Ajax requests to not be cached. Otherwise this answer is perfect!Hyams
I recommend wrapping in if request.xhr to only bust the cache for ajax requests like @Smickie mentioned. If you stop all caching for all requests, good luck scaling down the road.Jura
You only really need Cache-Control: no-store as long as the browser is compliant with HTTP 1.1. Section 14.9.2 What May be Stored by CachesPneumatics
Jan 1, 1990, was a Monday!Saccharo
Its not working for me I have add the same code in application_controller.rb and after logout I am able to see the last page by back button. Please guide me where I am wrong?Aborn
Will this also NOT cache JS and CSS in rails app ? Will JS and CSS be loaded from server for each request ?Tachymetry
Isn't it completely disabling caching for app? Because it will be located in application_controller.rb?Ladyfinger
This preventing caching for FF and Chrome, but not in IE 11. Is there anything more to do for IE??Ulises
The link is broken (DNS domain expiration?): "Hmm. We’re having trouble finding that site. We can’t connect to the server at blog.serendeputy.com."Goddaughter
C
16

Use:

expires_now()

expires_now()

Camacho answered 5/7, 2011 at 9:57 Comment(2)
expires_now only sends the no-cache header. Depending on the browser this might not be enough. (For example Firefox wants a no-store for non-HTTPS connections: developer.mozilla.org/en/docs/Using_Firefox_1.5_caching )Un
Agreed, this is not a valid solution, tested with Rails 5.2 and Chrome 77. no-store is also needed.Granvillegranvillebarker
L
3

I have used this line with some success in the controller. It works in Safari and Internet Explorer, but I haven't seen it work with Firefox.

response.headers["Expires"] = "#{1.year.ago}"

For your second point, if you use the Ruby on Rails helper methods like

stylesheet_link_tag

and leave the default settings on your web server, the assets are typically cached pretty well.

Leena answered 2/4, 2009 at 21:29 Comment(2)
1.year.ago is unnecessary overhead. Just pick some arbitrary time in the past like Fri, 01 Jan 1990 00:00:00 GMTJura
@Jura 1 jan 1990 was a Monday!Expressman
T
1

The cleaner way would be to write Rack middleware, which changes the Cache-Control header based on some logic (for example, only for application/xml mime-type).

Or, for an uglier, but still working approach, one could change the ActionDispatch::Response::DEFAULT_CACHE_CONTROL constant to 'no-cache'.

Of course, if the controller and/or action granularity is required, then it's better to do this in the controller.

Tomasatomasina answered 7/11, 2010 at 20:3 Comment(0)
C
1

Point of note: You can't conditionally clear the cache (like if a before_filter only calls reset_cache if the user's already been there). You need to unconditionally clear the cache, because the browser won't make a new request just to see if this time it needs to reload, even though it didn't need to last time.

Example:

before_filter :reset_cache, if: :user_completed_demographics?

won't work to prevent users from coming back after they've been there, since the browser uses the original cache headers on the Back button.

before_filter :reset_cache

will work, however (after refreshing the page and clearing the cache from before you added this, obviously), since, on the first request, the browser will get the no-cache, no-store, ... and apply it to future page loads.

Chandachandal answered 20/2, 2016 at 17:25 Comment(0)
L
0

no_cache_control Gem.

If you need to do this for all responses, e.g., to pass a penetration test (Burp Suite, Detectify, etc.), you can install this Gem on Ruby on Rails 4+ in order to add the following headers to all responses:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: -1

It works like a charm and is really the right way to go for secure, HTTPS web applications that require authentication to do anything.

Labaw answered 18/9, 2019 at 19:35 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.