6

I am creating a website using flask that requires logging in and out. I am using Flask-Security to help with this. My problem is that after I log out, if I hit the back button, I return to the user's page. Is there a way to prevent returning to a session after logging out by pressing the back button in Flask?

user3016362
  • 183
  • 1
  • 3
  • 10

5 Answers5

13

You can tell the browser not to cache any pages by adding the Cache-Control header after every response. If you only want this for some responses, you could add this to specific views instead.

# Ensure responses aren't cached
@app.after_request
def after_request(response):
    response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
    return response
davidism
  • 121,510
  • 29
  • 395
  • 339
Wael Azar
  • 281
  • 1
  • 5
  • 10
  • This answer is good because it really isn't that difficult. What WAS difficult was finding this answer. It took a very long time cycling through several low quality and barely addressed questions. Thank you, this is very useful. – J. Krajewski May 12 '22 at 19:23
5

if I hit the back button, I return to the user's page

This is actually an incorrect statement.

The web browser caches pages locally as the user navigates. If the user logs out and then hits the back button the cached version of the page will be shown. The user will not be returned to the user session, the user session is still closed.

You'll have to trick the browser to avoid this behavior, and this can be hard. For example, if your pages contain only the base layout and then request all the content via ajax when you hit the back button the ajax will find there is no user session in the server and will not show any content.

Miguel Grinberg
  • 65,299
  • 14
  • 133
  • 152
2

Use the Cache-Control header to prevent a page from being cached.

response.headers.add('Cache-Control', 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0')
davidism
  • 121,510
  • 29
  • 395
  • 339
user3016362
  • 183
  • 1
  • 3
  • 10
1

I don't think this is a Flask related problem. What you can do is redirect the user after the logout. You can do this in Flask with the redirect method:

from flask import redirect
redirect(url)

Then, if the user presses the back button, it will land on the page where the redirect is located and will get redirected again.

You can also check on each page where a user needs to be logged in if he IS really logged in, then if he's not, do the redirect.

Browsers could cache your pages. When you hit the back button, the browser could show the cached page. To prevent a browser from caching a page, you can set the Cache-Control: no-cache header. In Flask you can do this by setting the header attribute of the Response object:

response.headers['Cache-Control'] = 'no-cache'
gitaarik
  • 42,736
  • 12
  • 98
  • 105
  • For me, the redirect only works if I hit the refresh button. With redirect implemented, I am still able to return to the user's page with the back button, but if I hit the refresh button while on the user's page, I am sent back to the login page. I would like it so that the back button does not bring me back to the user's page. – user3016362 Dec 18 '13 at 14:01
  • I typed in `response.headers['Cache-Control'] = 'no-cache'`, and it did not work for me. I did some googling and found `response.headers.add('Cache-Control', 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0')`, and this worked. Thank you for leading me down the right path. – user3016362 Dec 19 '13 at 04:55
  • I have added, `return redirect(url_for(login_url));` it redirects to login page but when pressed back it goes to the page from where I loggedout. – Vivek R Aug 22 '14 at 08:47
  • @vividvilla Did you set the `no-cache` header? – gitaarik Aug 22 '14 at 16:48
  • @rednaw Lets say user is in `/dashboard` and if he clicks on logout I am taking him to `/logout` clearing the cache and cookies, then redirecting him to `/login` page. Now if he presses back button it goes to `/dashboard` and displays data. Although if I set nocache to Dashboard then it works fine but the problem is you never know from which page the user is logging out so you need to **set nocache for all the loggedin pages** which I don't want to do. – Vivek R Aug 25 '14 at 05:31
  • @vividvilla Well, if you don't set the `no-cache` header for a page, then a browser is allowed cache it, and may return the cache when a user presses the back button. You should take those things in consideration. – gitaarik Aug 25 '14 at 07:39
  • @rednaw so there is no other way to workaround this ? How sites like Amazon, Facebook and Google implements it. – Vivek R Aug 25 '14 at 08:38
  • @vividvilla What do you mean? What do these sites to differently? What's the problem of using the `no-cache` headers? – gitaarik Aug 25 '14 at 08:49
  • @rednaw I still want to cache logged in pages because it makes life easier for users(page loads faster) but I don't to risk the users details after logout. For example take Amazon once you logout from profile page and if you try to go back it wont go back but the logged in pages are still cached. – Vivek R Aug 25 '14 at 10:44
  • @rednaw I just found that Amazon don't cache page(browser cache) like your address book, your orders page. These are called protected pages and not cached by browser. – Vivek R Aug 25 '14 at 10:50
0

In the file that contains

app = Flask(__name__)

add the following just below it

@app.after_request
def add_header(response):
    response.cache_control.no_store = True
    return response

That fixed the problem for me.

wwmwabini
  • 75
  • 6