0

My problem: when a user 'logout' of my site and press the back-button in the browser, she can still check the previous pages.

I have tried this recipe Symfony2 response - Clear cache headers on back button but nothing happens

Recipe:

$response->headers->addCacheControlDirective('no-cache', true);
$response->headers->addCacheControlDirective('max-age', 0);
$response->headers->addCacheControlDirective('must-revalidate', true);
$response->headers->addCacheControlDirective('no-store', true);

My security.yml has these settings in the firewall in charge

logout:
    path:   mypath_logout
    target: /
    invalidate_session: true

The headers I receive when pressing the logout link:

object(Symfony\Component\HttpFoundation\ResponseHeaderBag)#429 (5) { ["computedCacheControl":protected]=> array(5) { ["max-age"]=> string(1) "0" ["must-revalidate"]=> bool(true) ["no-cache"]=> bool(true) ["no-store"]=> bool(true) ["private"]=> bool(true) } ["cookies":protected]=> array(0) { } ["headerNames":protected]=> array(2) { ["cache-control"]=> string(13) "Cache-Control" ["date"]=> string(4) "Date" } ["headers":protected]=> array(2) { ["cache-control"]=> array(1) { [0]=> string(55) "max-age=0, must-revalidate, no-cache, no-store, private" } ["date"]=> array(1) { [0]=> string(29) "Wed, 18 Nov 2015 11:40:47 GMT" } } ["cacheControl":protected]=> array(4) { ["max-age"]=> string(1) "0" ["must-revalidate"]=> bool(true) ["no-cache"]=> bool(true) ["no-store"]=> bool(true) } }

I'm using render when the user logouts, this way:

$response = $this->render('template.html.twig', array(
        'form' => $form->createView(),
    ));

Besides, just in case I have destroyed the session using plain PHP, when logging out:

unset($_SESSION);
session_destroy();

Quite an annoying problem this "prevent back-button", spent plenty of time on it :(

Community
  • 1
  • 1
Yercalamarino
  • 1,190
  • 10
  • 21
  • 1
    I think you can't do too much about it, the user is seeing the cached version of the page, it's totally client side... It would be the same if he took a screenshot before logging out. BTW he shouldn't be able to do anything, any link or ajax load should fail because he is no longer authenticated... – Jean Nov 18 '15 at 11:52
  • u could include some javascript on the logout page preventing browserback with url fragments – john Smith Nov 18 '15 at 15:36

2 Answers2

0

Here is some js you can include on the page the user gets redirected to on logout, sure this wont work for non js cases etc. but i think this was the best solution i found when i took time to find out

(function ($, global) {

    var _hash = "!",
    noBackPlease = function () {
        global.location.href += "#";

        setTimeout(function () {
            global.location.href += "!";
        }, 50);
    };

    global.setInterval(function () {
        if (global.location.hash != _hash) {
            global.location.hash = _hash;
        }
    }, 100);

    global.onload = function () {
        noBackPlease();

        // disables backspace on page except on input fields and textarea.
        $(document.body).keydown(function (e) {
            var elm = e.target.nodeName.toLowerCase();
            if (e.which == 8 && elm !== 'input' && elm  !== 'textarea') {
                e.preventDefault();
            }
            // stopping event bubbling up the DOM tree..
            e.stopPropagation();
        });
    }

})(jQuery, window);
john Smith
  • 15,471
  • 10
  • 66
  • 107
0

try these codes

header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP 1.1.
header("Pragma: no-cache"); // HTTP 1.0.
header("Expires: 0"); // Proxies.

you can check it here:

How to control web page caching, across all browsers?

Community
  • 1
  • 1
gray
  • 21
  • 6
  • Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Enamul Hassan Jun 10 '16 at 06:41