Forum: Ruby on Rails Back button works even after logout - How to prevent?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Tony P. (Guest)
on 2009-01-29 07:39
Hi all,
In my web application, after logging out, if Back button of the browser
is clicked, it takes to the previous logged in pages and allows all
operations without logging in. The layout, however, doesn't change, but
the yield pages.

Please help me prevent that back button operation after logout. Given
below is my logout controller.
#Controller
  def logout
    if session[:admin] || session[:user]
      reset_session
      flash[:notice] = 'Logged out successfully'
      redirect_to :controller => 'homes', :action => 'index'
    else
      flash[:error] = 'Not logged in'
    end
  end

Your prompt response is appreciated.
Ar C. (Guest)
on 2009-01-29 08:24
You can add a before_filter to your controllers to ensure that the user
is logged in.

I use restful authentication (that provides the login_required method),
and I let anyone see the index listing of a table, or a show of any
individual record, but create, update, new, delete, etc, are all locked
behind a logged in session.

before_filter :login_required, :except => [:index, :show]
Julian L. (Guest)
on 2009-01-29 14:09
(Received via mailing list)
You need to
Protect all of your controllers with a before filter that redirects to
login unless they're logged in.

Sent from my iPhone

On 29/01/2009, at 4:39 PM, Tony P.
<removed_email_address@domain.invalid
Tony P. (Guest)
on 2009-02-06 06:09
Ar Chron wrote:
> You can add a before_filter to your controllers to ensure that the user
> is logged in.
>
> I use restful authentication (that provides the login_required method),
> and I let anyone see the index listing of a table, or a show of any
> individual record, but create, update, new, delete, etc, are all locked
> behind a logged in session.
>
> before_filter :login_required, :except => [:index, :show]

Thank you very much... Chron. It was very helpful.
Tony P. (Guest)
on 2009-02-06 06:09
Julian L. wrote:
> You need to
> Protect all of your controllers with a before filter that redirects to
> login unless they're logged in.
>
> Sent from my iPhone
>
> On 29/01/2009, at 4:39 PM, Tony P.
> <removed_email_address@domain.invalid

Thank you very much... Julian.
This topic is locked and can not be replied to.