Using the Phoenix framework, how to stop user from accessing the previous pages once he/she logs out and presses browser back button?
Asked
Active
Viewed 571 times
1 Answers
4
The browser can access the page because it is allowed to cache the response by default. If you want to prevent that, you need to set the appropriate HTTP headers on the pages that require authentication, as per this similar question:
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
You could do this in a Plug
defmodule MyApp.PreventCaching do
import Plug.Conn
def init(options) do
options
end
def call(conn, _opts) do
conn
|> put_resp_header("cache-control", "no-cache, no-store, must-revalidate")
|> put_resp_header("pragma", "no-cache")
|> put_resp_header("expires", "0")
end
end
Then in your router (or controller), you can use the plug to set the headers on all pages that require authentication
plug MyApp.PreventCaching
Patrick Oscity
- 53,604
- 17
- 144
- 168
-
Thank you for your attention Patrick Oscity, this is the answer for my question, i will put my code here if any person want to prevent that – Luis Angel Nov 06 '15 at 14:39
-
Improving the answer a little bit. From [Mozzila docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) a good response header should be `Cache-Control: no-store` instead of `Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate,pre-check=0,post-check=0` – zegomesjf Oct 15 '20 at 21:29
-
@zegomesjf in an ideal world, where all browsers stick to the spec, yes. In practice though various browsers have their own quirks and disrespect the RFC, so we end up needing ugly things like this. https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers – Patrick Oscity Oct 16 '20 at 06:07
-
2Looks like you are already piping the `conn` as a first_parameter. So, no need to pass again inside `put_resp_header`. – Ankanna Jun 27 '21 at 14:16