Node.js and Express session handling - Back button problem

Question

I have a restricted area '/dashboard' in my Express application. I use a very small function to limit the access:

app.get('/dashboard', loadUser, function(req, res){
  res.render('dashboard', {
    username: req.session.username
  });
});

function loadUser(req, res, next){
  if (req.session.auth) {
    next();
  } else {
    res.redirect('/login');
  }
};

The problem is that when I logout a user by calling...

app.get('/logout', function(req, res){
  if (req.session) {
    req.session.auth = null;
    res.clearCookie('auth');
    req.session.destroy(function() {});
  }
  res.redirect('/login');
});

... the session is killed but when I hit Back Button in my browser I got the restricted page from browser's cache. This means no GET on '/dashboard' and no user login validation.

I tried using no-cache in meta (Jade Template) but it still doesn't work.

meta(http-equiv='Cache-Control', content='no-store, no-cache, must-revalidate')
meta(http-equiv='Pragma', content='no-cache')
meta(http-equiv='Expires', content='-1')

Anyone?

score 64 · Accepted Answer · edited May 23 '17 at 12:10

64

Josh's answer sadly didn't work for me. But after some searching I found this question: What's the best way to deal with cache and the browser back button?

and adopted the answer there to this node.js/express problem. You just have to change the following line

res.header('Cache-Control', 'no-cache');

to

res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');

Now, everytime I use the browser back button, the page is reloaded and not cached.

* update for express v4.x *

// caching disabled for every route
server.use(function(req, res, next) {
  res.set('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');
  next();
});

// otherwise put the res.set() call into the route-handler you want

edited May 23 '17 at 12:10

Community

1
1

answered Jun 28 '11 at 11:06

Philipp Kyeck

18,402
15
86
123

2

I'm having a similar problem. Where exactly do you add that line of code? – Scott Apr 12 '13 at 17:35
4

Try this: app.use(function(req, res, next) { res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'); next(); }); – sidonaldson May 19 '15 at 15:54
@nikjohn updated the answer to include a snippet for express 4+ – Philipp Kyeck Sep 29 '16 at 14:00
@pkyeck Yeah I tried `res.set` but unfortunately, I don't think there is _any_ solution for this issue. It's just completely upto the browser it looks like – nikjohn Sep 29 '16 at 17:16
@nikjohn this works perfectly, I hope you got it to work for you, thanks for the answer Phil – Thabo Aug 13 '17 at 11:23
`res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');` line just did my long pending work. Thank you very much :) , Happy coding . – Pramesh Bajracharya Sep 17 '17 at 04:48
This is only working for get endpoints. Any idea on make it working for post endpoints as well – Shivang Gupta Mar 23 '22 at 04:52

score 8 · Answer 2 · answered May 27 '11 at 05:35

8

app.get('/dashboard', loadUser, function(req, res){
  res.header('Cache-Control', 'no-cache');
  res.header('Expires', 'Fri, 31 Dec 1998 12:00:00 GMT');

  res.render('dashboard', {
    username: req.session.username
  });
});

answered May 27 '11 at 05:35

Josh

12,602
2
41
47

Basil · Answer 3 · 2018-06-06T17:31:30.400

4

Am using using Express ^4.16.3 and this worked for me as stated by @pkyeck.

I added it to my routes like this and it worked fine:

routes
.use(function(req, res, next) {
res.set('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');
        next();
          })
          .get('/login', function(req, res, next){
              .....
})

edited Jun 06 '18 at 17:31

answered Jun 06 '18 at 16:30

Basil

74
5

score 1 · Answer 4 · answered May 09 '18 at 21:43

Simple solution is after clearing the session .. again redirect to the same route.. for example: route /sessionedpage has session variables .. after clicking logout button clear session variables by req.session.destroy(function() {}); after that you are tring to redirect home page ... INSTEAD of redirecting to home page.. redirect /sessionedpage (same route) ... Write if condition for /sessionedpage if(!res.sessions) then res.redirect('/home')

MBS · Answer 5 · 2023-03-28T23:55:38.897

1

You need to simply add the following middleware before all routes in your NodeJS app which uses Express back-end and a PUG front-end to solve this back button problem. This is the most bare-bones solution:

edited Mar 28 '23 at 23:55

answered Mar 28 '23 at 22:23

MBS

72
7

score 0 · Answer 6 · answered Feb 23 '22 at 10:55

var forwardAuthenticated = (req, res, next) => {
    res.set('Cache-Control', 'no-cache, private, no-store, must-revalidate, 
    post-check=0, pre-check=0');
    const token = req.cookies.jwt;
    if (!token) {
        return next()
    }
    res.redirect('/listProducts');  
}

score 0 · Answer 7 · edited May 30 '22 at 14:46

0

To avoid loading page from cache, use the below code in app.js,

Note: Use it before using the routers

app.use(function(req, res, next) { 
  res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');
   next();
 });

edited May 30 '22 at 14:46

Tyler2P

2,324
26
22
31

answered May 24 '22 at 16:12

Basil Sajeev

21
4

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 24 '22 at 22:37

Node.js and Express session handling - Back button problem

7 Answers7

Linked