6

After logout if i press the back button in the browser, it should not show the previous page, it has to go to default page (login page only).

So i have tried in many ways(ruby on rails application) like "history.forward()" ,"onbeforeunload", expire cache in meta tag, "http://www.brookebryan.com/ back button detection" so many .. i am very confused.

can anyone suggest a solution?

Jonathan Day
  • 18,519
  • 10
  • 84
  • 137
Arun
  • 569
  • 2
  • 10
  • 19
  • You have a better chance of finding an answer if you add the "ruby-on-rails" tag to your question. – Greg Sansom Nov 24 '10 at 05:38
  • 1
    are you using `sessions` in your app, if yes then check the `session` for every secure pages.. – FosterZ Nov 24 '10 at 05:40
  • the information that you provided is insufficient to help you... i agree with FosterZ, if you are using `sessions` please check for the user session in all protected actions before executing them, or rather use `before_filter :method_name` as first line in your controllers – Jasdeep Singh Nov 24 '10 at 05:47
  • also, if you can please post the code for your method that renders after pressing the back button would be helpful.. – Jasdeep Singh Nov 24 '10 at 05:50

3 Answers3

4

What you have to do is disable the browser-caching so that it wont return the cached page after you logout from the page. You can do that by setting the response-header to avoid caching in application controller. How?

in 'application_controller.rb' .....

before_filter :set_no_cache

def set_no_cache
  response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
  response.headers["Pragma"] = "no-cache"
  response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end

As mentioned in this answer: https://stackoverflow.com/a/748646

Community
  • 1
  • 1
thegauraw
  • 5,428
  • 2
  • 21
  • 14
1

You can't do this and for a very good reason. If it were possible to disable the back button then malicious sites would all do it to stop you from getting away. Disallowing basic functionality for your users is never a good idea anyway.

Saying all that, you can discourage the use of the back button. If you make your logout button POST a form and then respond to the POST directly (rather than redirecting) then the user will see a warning from the browser asking them if they want to re-POST the form.

I suppose another trick would be for your page (the one you don't want the user to be able to go back to) to make an AJAX request on-load to the server. If the response from that subrequest indicates that the user is no longer logged in, then your javascript could bounce the user to another page.

All this seems like a waste of time to me though, to be honest.

noodl
  • 17,143
  • 3
  • 57
  • 55
1

The best way to do it is not to control the browser, but to control the behavior of your application.

In your controller, put this:

before_filter :validate_user

and in your validate_user method, determine if you have a logged-in user (you didn't provide enough detail to see code for this). If there isn't a logged-in user, redirect them to the login page.

This is a very common idiom; I see it all the time. You may want to examine the source of a few Rails apps. Here's the application_controller for Redmine, an issue tracker. It contains a before_filter called user_setup that leads to a find_current_user method which will find a User object from the session, or try to authenticate the user in a couple ways.

Mark Thomas
  • 37,131
  • 11
  • 74
  • 101
  • This doesn't account for the browser cache. I assumed he wanted to avoid the previous page being seen even without a request to the server. – noodl Nov 24 '10 at 10:41
  • 3
    Then, in addition to above, add a `Cache-Control: no-cache` header. – Mark Thomas Nov 24 '10 at 13:01