Login/Register
How to clear browser cache after user logout to prevent access to private info via 'Back' button
Asked Answered
ruby-on-railsauthenticationhttp-headersdevisebrowser-cache
R

3

15

After a user logs out, if they hit the back button, they can go back to the last page they were on before logging out.

The app I am working on will often be used on a public computer (library or computer lab, for example) and I'd like to prevent users from being able to see anything from previous user sessions.

I'm on Rails 3 and Devise, btw, although it seems that this issue would come up with any framework or login mechanism.

Is the solution to use headers/meta-tags to disable browser-caching? Anybody know of a gem or tutorial that addresses this issue?

Look forward to your advice.

Resorcinol answered 7/11, 2010 at 23:29 Comment(0)
S
6

Use the below code in application controller .. it works for me. Hope this will help you. Thank you!!

code

before_filter :set_cache_buster

def set_cache_buster
   response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
   response.headers["Pragma"] = "no-cache"
   response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end
Smoko answered 5/6, 2014 at 11:10 Comment(0)
D
5

Being on Rails, you can easly setup everything placed in the public folder with an aggressive cache, and cherry-pick what else can be safetly cached, like the public "about" page.

You should set Cache-Control: no-cache to prevent the browser to cache HTML pages, XML, JSON containing sensitive informations (basically anything that is accessible only with a proper login) and set a more aggressive cache for static assets like css and images.

  • Good candidates for aggressive cache are the css and images used within your application and public pages.
  • Good candidates for a no-cache are anything accessible after a login (i.e. if you are storing images that should be accessible only to tis owner, it shouldn't be cached, if you have an Ajax request for autenticated users, that XML should not be cached).
Dogy answered 6/12, 2010 at 1:6 Comment(0)
J
3

Yes, You have to use the http headers to instruct browser not to cache the page. This page () from OWASP contains the information about how to do this.

As per the above article you can set the following header to instruct browser not to cache the page:

HTTP/1.1:
Cache-Control: no-cache

or

HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g., 0)>

Hope this helps.

Jett answered 9/11, 2010 at 12:32 Comment(1)
Thanks for the info. This will take care of the security issue, but with caching turned off, performance will suffer, won't it? Users will have to download all static assets on each page load. This seems like a tricky problem to solve. Any clever ideas on how to balance security with performance in this case?Resorcinol

© 2022 - 2024 — McMap. All rights reserved.