12

After using Devise for my authentication, I found that there was a security hole in that, after the user logs out, the session variables are preserved. This allows anyone to press the back button and access the logged in user's previous screen.

I looked at these posts Num 1 Num 2 Num 3

I added these lines to my application_controller

before_filter :set_no_cache
def set_no_cache
response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
response.headers["Pragma"] = "no-cache"
response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end

In the _form.html.erb I added this at the top

<%if user_signed_in? %>
<%=link_to "Sign Out",  destroy_user_session_path, :method => :delete %><br/>
<%= form_for(@listing) do |f| %>
<% if @listing.errors.any? %>
...........

Then I tested the application on Firefox, Chrome and Safari.

Firefox and Chrome were fine in that I logged out and hit the back button and could not see the previous screen of the user, however, in Safari and Opera, the insecure behavior persists. This code does not have an effect.

Any suggestions on how to fix this?

Thanks

Community
  • 1
  • 1
banditKing
  • 9,405
  • 28
  • 100
  • 157
  • This is a duplicate of http://stackoverflow.com/questions/2866826/how-do-i-stop-opera-from-caching-a-page – hallvors May 30 '12 at 12:11
  • hmm. Looked at this link. No where does it talk about Safari, it only mentions Opera. And I have tried all the solutions they listed in there as you can see above. – banditKing May 30 '12 at 13:36
  • Ops, you're right about Safari. Only the "Opera" part of the question is a real duplicate, as the reply there explains why Opera behaves like this and that the only real workaround is to use https and must-revalidate. – hallvors May 31 '12 at 09:26
  • OK thanks a lot. I have managed to solve the Safari issue. but for Opera I will note your suggestions. Thanks a lot :) – banditKing May 31 '12 at 17:47
  • anyone know how to do this in rails 3.2.20 ? http://stackoverflow.com/questions/26994714/how-to-force-cache-control-to-no-store-in-rails-3-2-20 – equivalent8 Nov 18 '14 at 12:47

3 Answers3

13

I faced the same problem and found a good solution and I blogged it to

http://www.fordevs.com/2011/10/how-to-prevent-browser-from-caching-a-page-in-rails.html

To add ‘no-cache’, add the following lines @ the application_controller.rb file

before_filter :set_no_cache

and the function

def set_no_cache
    response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
    response.headers["Pragma"] = "no-cache"
    response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end
Kathirvel K G
  • 175
  • 1
  • 9
  • This doesn't work in Safari but Chrome and Firefox it does. – joeyk16 Jan 25 '18 at 05:32
  • You can also take a look at the `no_cache_control` gem that adds these headers to all requests automatically: https://github.com/equivalent/no_cache_control – Joshua Pinter Sep 18 '19 at 19:43
  • The gem no_cache_control does exactly what's mentioned as the accepted answer. No need to add a gem for three lines of code. – Vivek Tripathy Mar 15 '21 at 12:22
1

First of all, for any issues with cache, use Mark Nottingham's guide on HTTP caching

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0

Try this.

karlcow
  • 6,977
  • 4
  • 38
  • 72
0

I found that doing this in my application controller worked great for development.

after_filter  :expire_for_development

protected

def expire_for_development
  expires_now if Rails.env.development?
end
MetaSkills
  • 1,954
  • 18
  • 15