actually i wrote “before_filter :authorize” in every controller except
login_controller.rb
but after logout,If you click “Back Page” icon in browser ,then it will
go
to back page.(in that page i can’t activate any links,because it will
redirect_to
login page).
But in case of yahoo mails ,etc…,if we click “Back Page” icon in
browser
then it ll redirect_to login page.
No sure you can. I believe the back button is a feature of the browser
itself, so there is nothing you can do about it. But is it that bad?
People who logout have seem the content already.
The browser is returning to a cached copy of the page. You can’t
completely prevent this, but you can send HTTP headers that encourage
the browser not to cache the request. Setting “Cache-Control: no-
cache” in the headers ought to do it.
actually i wrote “before_filter :authorize” in every controller except
login_controller.rb
but after logout,If you click “Back Page” icon in browser ,then it will
go
to back page.(in that page i can’t activate any links,because it will
redirect_to
login page).
But in case of yahoo mails ,etc…,if we click “Back Page” icon in
browser
then it ll redirect_to login page.
like that ,how can i do in my rails project ?
Are you using a session variable? In my app when the user logs in a
session variable is set with the user id, then as they navigate around
within the site the controller has a before_filter veryifying their user
id is the same as the stored session id. That way when they log out the
session id gets set back to nothing and when they try to go back those
two id’s no longer match and they just get kicked back to the login
page. In this same way I can also insure that no user can access another
users account info
Right, but he is talking about cached versions of legitimately visited
pages hanging around in the browser cache after logout. This means the
requests are not even hitting rails so sessions make no difference.
Setting Cache-Control: no-cache, as was said before, is the best thing
you can do along with recommending the user close the browser after
logout. However, neither of these is a guarantee.
-Bill
Shandy N. wrote:
redirect_to
within the site the controller has a before_filter veryifying their user
id is the same as the stored session id. That way when they log out the
session id gets set back to nothing and when they try to go back those
two id’s no longer match and they just get kicked back to the login
page. In this same way I can also insure that no user can access another
users account info
The browser is returning to a cached copy of the page. You can’t
completely prevent this, but you can send HTTP headers that encourage
the browser not to cache the request. Setting “Cache-Control: no-
cache” in the headers ought to do it.