There are two cases I’m concerned about here when a user logs out,
then clicks the back button:
- the user presses the “back” button and goes back to a page that
would otherwise require authentication
Right now, the existing page is still kept in cache, so private data
is still being seen. I’m guessing I’ll be using Rails’ new ETag
support here, and I was just looking to see how everybody else has
been handling this since before 2.2; this is less of a concern than
#2, which is…
- the user presses the “back” button and goes to a public page
The data in this case is not sensitive, but because Rails forms use
authenticity tokens that are tied to the session, the session becomes
invalidated after logging out. If the user presses the back button and
then clicks “log out” again, an InvalidAuthenticityToken error is
thrown; I’d really rather not show a 500 error page if this happens.
Any ideas how to avoid it? (Is it a bug in rails if there’s no way to
avoid this?)
So the burning question on my mind here is, how do I avoid throwing an
InvalidAuthenticityToken error, should a user log out, click ‘back’,
then click on ‘log out’ again? (This question is posed by a client, so
I can’t just ignore this edge case.)