Laravel logout fail on pressing back button

Question

On logout from my Laravel application using the Laravel logout method:

public function getLogout() 
    {
       Auth::logout();
       return Redirect::to('users/login')->with('message', '<div class="alert alert-success">Your have successfully logged out</div>');
    }

I am successfully logged out, but on hitting the back button, I can still access my account. Any idea on how I can fix this?

I am new to laravel, so I'm not sure if my question makes sense. Well in plain PHP, manually resetting the session to null has always done the job for me.

Answer 1

Since I am new in Laravel. So in Laravel 5.7 I fixed that problem in my way. Create a middleware using artisan.

php artisan make:middleware RevalidateBackHistory

Within RevalidateBackHistory middleware, we set the header to no-cache and revalidate.

<?php
namespace App\Http\Middleware;
use Closure;
class RevalidateBackHistory
{
    /**
    * Handle an incoming request.
    *
    * @param \Illuminate\Http\Request $request
    * @param \Closure $next
    * @return mixed
    */
    public function handle($request, Closure $next)
    {
        $response = $next($request);
        return $response->header('Cache-Control','nocache, no-store, max-age=0, must-revalidate')
            ->header('Pragma','no-cache')
            ->header('Expires','Fri, 01 Jan 1990 00:00:00 GMT');
    }
}

Update the application’s route middleware in Kernel.php

protected $routeMiddleware = [
    .
    .
    'revalidate' => \App\Http\Middleware\RevalidateBackHistory::class,
    .
    .
];

Update the route in Web.php. In my case.

Route::group(['middleware' => 'revalidate'], function(){
    Route::get('/', 'HomeController@index');
    Route::get('/home', 'HomeController@index');
    Route::get('/dashboard', 'HomeController@index');
});

And that’s all! So basically you just need to call revalidate middleware for routes which require user authentication.

Here is the url's I followed

Prevent Browser's Back Button Login After Logout in Laravel 5

https://www.youtube.com/watch?v=wLkA1g2s65U

Answer 2

Here is how I solved it in Laravel 5 usign middleware:

Create a NoCache middleware like this:

Go through this: How do I implement before vs. after filters in middleware?

class NoCache {
    public function handle($request, Closure $next)
    {
        $response = $next($request);
        $response->headers->set('Cache-Control','nocache, no-store, max-age=0, must-revalidate'); 
        $response->headers->set('Pragma','no-cache'); 
        $response->headers->set('Expires','Fri, 01 Jan 1990 00:00:00 GMT');
        return $response;
    }
}

Then register this middleware in kernel.php: Running middleware on every request

Answer 3

I tried with this and it works.

In routes:

Route::group(array('before' => 'auth', 'after' => 'no-cache'), function()
{
Route::get('dashboard', array('as' => 'getDashboard', 'uses' => 'DashboardController@getIndex'));

Route::get('logout', array('as' => 'getLogout', 'uses' => 'LoginController@getLogout'));

Route::group(array('prefix' => 'users'), function()
{
    Route::get('users', array('as' => 'getUsers', 'uses' => 'UsersController@getIndex', 'before' => 'hasAccess:users.index'));
});
});

In filters:

Route::filter('no-cache',function($route, $request, $response){

$response->headers->set('Cache-Control','nocache, no-store, max-age=0, must-revalidate');
$response->headers->set('Pragma','no-cache');
$response->headers->set('Expires','Fri, 01 Jan 1990 00:00:00 GMT');

});

Answer 4

Yes. As @Amelia wrote, that problem is because of browser cache but not Laravel. Sending response with no-cache is one solution, but that is not always good. You might have to pay a extra hosting fee if you implement that solution.

I tried to solve this issue with a bit of javascript code in my base template just before </body> tag.

<script type="text/javascript">
    $(document).ready(function() {
        var isAuth = "<?php echo Auth::check(); ?>";

        if (location.href === 'http://local.myapp.in/login/')
        {
            if (isAuth) location.href('/home');
        }
        else
        {
            if (!isAuth) location.href('/login');
        }
    });
</script>

In the above code, replace http://local.myapp.in/login/ with your login page URL. So each time a page is loaded, this code gets executed. If the user is trying to access any restricted page without loggedin, then he will be redirected to login page. And if a user is trying to access login page when logged in, browser will be redirected to home page.

Since, it is js code, even if the page is loaded from browser cache this piece of code runs.

Answer 5

This isn't actually what you think it is.

The back button on a browser fetches the last page in its cache for you.

If you must really prevent this, then you have two options:

1. Disable caching (usually a bad idea). See How to control web page caching, across all browsers? for that.
2. Have a JavaScript keep-alive to a resource in the page and redirect the user if this keepalive shows the user is not logged in.

Personally I'd just blame caching and ignore it. There's also a third option: using the HTML5 history API, but that's probably way over the top.