What to do when a user logs out, then presses the back button?


#1

There are two cases I’m concerned about here when a user logs out,
then clicks the back button:

  1. the user presses the “back” button and goes back to a page that
    would otherwise require authentication

Right now, the existing page is still kept in cache, so private data
is still being seen. I’m guessing I’ll be using Rails’ new ETag
support here, and I was just looking to see how everybody else has
been handling this since before 2.2; this is less of a concern than
#2, which is…

  1. the user presses the “back” button and goes to a public page

The data in this case is not sensitive, but because Rails forms use
authenticity tokens that are tied to the session, the session becomes
invalidated after logging out. If the user presses the back button and
then clicks “log out” again, an InvalidAuthenticityToken error is
thrown; I’d really rather not show a 500 error page if this happens.
Any ideas how to avoid it? (Is it a bug in rails if there’s no way to
avoid this?)

So the burning question on my mind here is, how do I avoid throwing an
InvalidAuthenticityToken error, should a user log out, click ‘back’,
then click on ‘log out’ again? (This question is posed by a client, so
I can’t just ignore this edge case.)


#2

On Mon, Nov 24, 2008 at 4:30 AM, Frederick C. <
removed_email_address@domain.invalid> wrote:

You should be able to rescue that exception (see rescue_from etc…)

Fred

Fred, thanks for responding - I’m not sure if I can, because the
exception
is generated and thrown in the framework before it even gets to the
controller. Where would I rescue from?

Liam


#3

On Nov 24, 1:32 pm, “Liam M.” removed_email_address@domain.invalid wrote:

On Mon, Nov 24, 2008 at 4:30 AM, Frederick C. <

You should be able to rescue that exception (see rescue_from etc…)

Fred

Fred, thanks for responding - I’m not sure if I can, because the exception
is generated and thrown in the framework before it even gets to the
controller. Where would I rescue from?

with rescue_from hopefully. Or with an around filter if that doesn’t
work (token verification is just another filter after all).

Fred