tornado.web.authenticated back button issue

Question

I just added a simple login using tornado.web.authenticated based off of some tutorials online. Unfortunately, after logging out successfully, when I press the back button on my browser, I'm still able to see logged in pages. Is there a way to trigger the login screen for pages in the browsing history?

Edit: To clarify, I am already using the @tornado.web.authenticated annotation and it is working well for the normal use cases, but I am running into the issue that when going back using the browser's Back button, I am still able to see pages as if I were logged in. I am hoping that there is a way to address this potential security issue.

score 5 · Accepted Answer · edited May 23 '17 at 11:43

When you hit the back button after logout, your browser loads the previous page from cache. To prevent protected pages from being cached, you must set the following headers as described in this question

self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.set_header('Pragma', 'no-cache')
self.set_header('Expires', '0')

You could put that in a decorator, something like:

def protected(method):
    @tornado.web.authenticated
    @functools.wraps(method)
    def wrapper(self, *args, **kwargs):
        self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
        self.set_header('Pragma', 'no-cache')
        self.set_header('Expires', '0')
        return method(self, *args, **kwargs)
    return wrapper

Then decorate your protected pages with @protected instead of @tornado.web.authenticated.

Neat! I found the cache-control myself after being pointed by @Mutant. Your answer seems much cleaner than what I was going to do, though. — chenj7, Feb 10 '14 at 15:56

Mutant · Answer 2 · 2014-02-10T15:40:40.987

2

Use the authenticated decorator on your method, that will make sure and redirect user to login page.

login_url should be configured part of the settings -

settings = dict({
    "login_url": "/#login",
    .....
 })

and decorator should be added like -

class Home(BaseHandler):
    @tornado.web.authenticated
    ...

Edit - User should be logged out, you can check by pressing F5, and it will redirect you to login page. If it shows you the content its just a cache issue and you might have to clear the cache explicitly.

edited Feb 10 '14 at 15:40

answered Feb 10 '14 at 15:19

Mutant

3,663
4
33
53

1

Yes, sorry I was not clear in my original question, but I am already using that annotation. In normal circumstances, it works fine, but my issue is that it does not redirect to the login_url when I press the back button on my browser. This is potentially insecure. I will try to update my question for clarification. – chenj7 Feb 10 '14 at 15:31
2

@magicpanda - In that case it seems like browser cache history problem. You might want to delete that explicitly. Look at some discussion here - https://groups.google.com/forum/#!topic/python-tornado/cfTvHzGCrcQ – Mutant Feb 10 '14 at 15:38
Yes, you hit the nail on the head. Thanks. +1 – chenj7 Feb 10 '14 at 15:54

tornado.web.authenticated back button issue

2 Answers2

Linked