Forum: Ruby on Rails What to do when a user logs out, then presses the back button?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
C07bd8cb005f295460456e0c0f23a12d?d=identicon&s=25 Liam Morley (carpeliam)
on 2008-11-24 08:47
(Received via mailing list)
There are two cases I'm concerned about here when a user logs out,
then clicks the back button:

1. the user presses the "back" button and goes back to a page that
would otherwise require authentication

Right now, the existing page is still kept in cache, so private data
is still being seen. I'm guessing I'll be using Rails' new ETag
support here, and I was just looking to see how everybody else has
been handling this since before 2.2; this is less of a concern than
#2, which is...

2. the user presses the "back" button and goes to a public page

The data in this case is not sensitive, but because Rails forms use
authenticity tokens that are tied to the session, the session becomes
invalidated after logging out. If the user presses the back button and
then clicks "log out" again, an InvalidAuthenticityToken error is
thrown; I'd really rather not show a 500 error page if this happens.
Any ideas how to avoid it? (Is it a bug in rails if there's no way to
avoid this?)

So the burning question on my mind here is, how do I avoid throwing an
InvalidAuthenticityToken error, should a user log out, click 'back',
then click on 'log out' again? (This question is posed by a client, so
I can't just ignore this edge case.)
C07bd8cb005f295460456e0c0f23a12d?d=identicon&s=25 Liam Morley (carpeliam)
on 2008-11-25 07:35
(Received via mailing list)
On Mon, Nov 24, 2008 at 4:30 AM, Frederick Cheung <
frederick.cheung@gmail.com> wrote:

>>
>>  You should be able to rescue that exception (see rescue_from etc...)
>
> Fred


Fred, thanks for responding - I'm not sure if I can, because the
exception
is generated and thrown in the framework before it even gets to the
controller. Where would I rescue from?

Liam
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2008-11-25 07:42
(Received via mailing list)
On Nov 24, 1:32 pm, "Liam Morley" <imo...@gmail.com> wrote:
> On Mon, Nov 24, 2008 at 4:30 AM, Frederick Cheung <
>
> >>  You should be able to rescue that exception (see rescue_from etc...)
>
> > Fred
>
> Fred, thanks for responding - I'm not sure if I can, because the exception
> is generated and thrown in the framework before it even gets to the
> controller. Where would I rescue from?
>
with rescue_from hopefully. Or with an around filter if that doesn't
work (token verification is just another filter after all).

Fred
This topic is locked and can not be replied to.