Rails ( set_no_cache method) Cannot disable browser caching in Safari and Opera

Asked 24/5, 2012 at 19:37 Answered 15/2, 2014 at 21:27

Solved ruby-on-rails ruby safari opera browser-cache

After using Devise for my authentication, I found that there was a security hole in that, after the user logs out, the session variables are preserved. This allows anyone to press the back button and access the logged in user's previous screen.

I looked at these posts Num 1 Num 2 Num 3

I added these lines to my application_controller

before_filter :set_no_cache
def set_no_cache
response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
response.headers["Pragma"] = "no-cache"
response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end

In the _form.html.erb I added this at the top

<%if user_signed_in? %>
<%=link_to "Sign Out",  destroy_user_session_path, :method => :delete %><br/>
<%= form_for(@listing) do |f| %>
<% if @listing.errors.any? %>
...........

Then I tested the application on Firefox, Chrome and Safari.

Firefox and Chrome were fine in that I logged out and hit the back button and could not see the previous screen of the user, however, in Safari and Opera, the insecure behavior persists. This code does not have an effect.

Any suggestions on how to fix this?

Thanks

Zetland answered 24/5, 2012 at 19:37 Comment(5)

This is a duplicate of #2867326 – Olfactory 30/5, 2012 at 12:11

hmm. Looked at this link. No where does it talk about Safari, it only mentions Opera. And I have tried all the solutions they listed in there as you can see above. – Zetland 30/5, 2012 at 13:36

Ops, you're right about Safari. Only the "Opera" part of the question is a real duplicate, as the reply there explains why Opera behaves like this and that the only real workaround is to use https and must-revalidate. – Olfactory 31/5, 2012 at 9:26

OK thanks a lot. I have managed to solve the Safari issue. but for Opera I will note your suggestions. Thanks a lot :) – Zetland 31/5, 2012 at 17:47

anyone know how to do this in rails 3.2.20 ? #26995214 – Prater 18/11, 2014 at 12:47

I faced the same problem and found a good solution and I blogged it to

http://www.fordevs.com/2011/10/how-to-prevent-browser-from-caching-a-page-in-rails.html

To add ‘no-cache’, add the following lines @ the application_controller.rb file

before_filter :set_no_cache

and the function

def set_no_cache
    response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
    response.headers["Pragma"] = "no-cache"
    response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end

Irredeemable answered 22/3, 2013 at 8:6 Comment(3)

This doesn't work in Safari but Chrome and Firefox it does. – Denisse 25/1, 2018 at 5:32

You can also take a look at the no_cache_control gem that adds these headers to all requests automatically: github.com/equivalent/no_cache_control – Expiry 18/9, 2019 at 19:43

The gem no_cache_control does exactly what's mentioned as the accepted answer. No need to add a gem for three lines of code. – Uncinariasis 15/3, 2021 at 12:22

First of all, for any issues with cache, use Mark Nottingham's guide on HTTP caching

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0

Try this.

Reins answered 8/6, 2012 at 19:4 Comment(0)

I found that doing this in my application controller worked great for development.

after_filter  :expire_for_development

protected

def expire_for_development
  expires_now if Rails.env.development?
end

Mozzetta answered 15/2, 2014 at 21:27 Comment(0)

Recommended topics

Hot tags