How to clear browser cache after user logout to prevent access to private info via 'Back' button

After a user logs out, if they hit the back button, they can go back to the last page they were on before logging out.

The app I am working on will often be used on a public computer (library or computer lab, for example) and I'd like to prevent users from being able to see anything from previous user sessions.

I'm on Rails 3 and Devise, btw, although it seems that this issue woul开发者_JAVA百科d come up with any framework or login mechanism.

Is the solution to use headers/meta-tags to disable browser-caching? Anybody know of a gem or tutorial that addresses this issue?

Look forward to your advice.

Use the below code in application controller .. it works for me. Hope this will help you. Thank you!!

code

before_filter :set_cache_buster

def set_cache_buster
   response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
   response.headers["Pragma"] = "no-cache"
   response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end

Being on Rails, you can easly setup everything placed in the public folder with an aggressive cache, and cherry-pick what else can be safetly cached, like the public "about" page.

You should set Cache-Control: no-cache to prevent the browser to cache HTML pages, XML, JSON containing sensitive informations (basically anything that is accessible only with a proper login) and set a more aggressive cache for static assets like css and images.

• Good candidates for aggressive cache are the css and images used within your application and public pages.
• Good candidates for a no-cache are anything accessible after a login (i.e. if you are storing images that should be accessible only to tis owner, it shouldn't be cached, if you have an Ajax request for autenticated users, that XML should not be cached).

Yes, You have to use the http headers to instruct browser not to cache the page. This page () from OWASP contains the information about how to do this.

As per the above article you can set the following header to instruct browser not to cache the page:

HTTP/1.1:
Cache-Control: no-cache

or

HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g., 0)>

Hope this helps.