David Kane
Reputation: 91
Golang & Gorilla Sessions - Cache Prevents Logout Functionality
I've built an application that uses the Go Gorilla sessions package. Everything seems fine, except when on logout I implement
func logout(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "authsesh")
session.Values["access"] = "denied"
session.Save(r, w)
http.Redirect(w, r, "/", 302)
return
}
Because the page requiring authentication is cached by the browser, it can still be accessed after logout. How can I get around that? Is there a way to prevent the browser from caching the page? There's nothing wrong with the cookie, if I clear the cache and keep the cookie I can see the logout has had the desired effect.
Upvotes: 1
Views: 2374
Answers (1)
elithrar
Reputation: 24300
Set the correct cache headers in your handler(s):
w.Header().Set("Cache-Control", "no-cache, private, max-age=0")
w.Header().Set("Expires", time.Unix(0, 0).Format(http.TimeFormat))
w.Header().Set("Pragma", "no-cache")
w.Header().Set("X-Accel-Expires", "0")
Note that we set multiple headers to account for proxies and HTTP/1.0 clients.
You can wrap these into middleware you can apply as well:
func NoCache(h http.Handler) http.Handler) {
fn := func(w http.ResponseWriter, r *http.Request) {
// Set the headers
}
return http.HandlerFunc(fn)
}
// In your router
http.Handle("/user-dashboard", NoCache(http.HandlerFunc(YourDashboardHandler))
Upvotes: 6
Related Questions
- Difference between no-cache and must-revalidate for Cache-Control?
- Problem redirecting and using gorilla sessions in golang
- Do sessions really violate RESTfulness?
- Golang gorilla/sessions and URI scope?
- golang go-endpoints Session using gorilla-toolkit
- Writing Both session and JSON data to http.ResponseWriter