4

Using the Phoenix framework, how to stop user from accessing the previous pages once he/she logs out and presses browser back button?

IgorekPotworek
  • 1,267
  • 11
  • 32
Luis Angel
  • 93
  • 5

1 Answers1

3

The browser can access the page because it is allowed to cache the response by default. If you want to prevent that, you need to set the appropriate HTTP headers on the pages that require authentication, as per this similar question:

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0

You could do this in a Plug

defmodule MyApp.PreventCaching do
  import Plug.Conn

  def init(options) do
    options
  end

  def call(conn, _opts) do
    conn
    |> put_resp_header(conn, "cache-control", "no-cache, no-store, must-revalidate")
    |> put_resp_header(conn, "pragma", "no-cache")
    |> put_resp_header(conn, "expires", "0")
  end
end

Then in your router (or controller), you can use the plug to set the headers on all pages that require authentication

plug MyApp.PreventCaching
Patrick Oscity
  • 49,954
  • 15
  • 127
  • 157
  • Thank you for your attention Patrick Oscity, this is the answer for my question, i will put my code here if any person want to prevent that – Luis Angel Nov 06 '15 at 14:39
  • Improving the answer a little bit. From [Mozzila docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) a good response header should be `Cache-Control: no-store` instead of `Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate,pre-check=0,post-check=0` – zegomesjf Oct 15 '20 at 21:29
  • @zegomesjf in an ideal world, where all browsers stick to the spec, yes. In practice though various browsers have their own quirks and disrespect the RFC, so we end up needing ugly things like this. https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers – Patrick Oscity Oct 16 '20 at 06:07