Reputation: 2470
How to stop session from caching authenticated users data after logout
This code was leverage here
The code below was used to create users session in Go. The session is working fine.
The issue am having is that after user logout, if I click on browser back button. I can then still see the details of the logout user.
I have leverage stackoverflow solution here but no luck
I have also added the following code to logout handler
w.Header().Set("Cache-Control", "no-cache, private, max-age=0")
w.Header().Set("Pragma", "no-cache")
w.Header().Set("X-Accel-Expires", "0")
here is the code
package main
import (
"fmt"
"net/http"
"github.com/gorilla/sessions"
)
var (
// key must be 16, 24 or 32 bytes long (AES-128, AES-192 or AES-256)
key = []byte("super-secret-key")
store = sessions.NewCookieStore(key)
)
func secret(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "cookie-name")
// Check if user is authenticated
if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
// Print secret message
fmt.Fprintln(w, "The cake is a lie!")
fmt.Fprintln(w, session.Values["foo"])
}
func login(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "cookie-name")
// Authentication goes here
// Set user as authenticated
session.Values["authenticated"] = true
session.Values["foo"] = "bar"
session.Values[42] = 43
session.Save(r, w)
fmt.Fprintln(w, session.Values["authenticated"])
fmt.Fprintln(w, session.Values["foo"])
fmt.Fprintln(w, session.Values["2"])
}
func logout(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "cookie-name")
// Revoke users authentication
session.Values["authenticated"] = false
session.Values["foo"] = ""
session.Values[42] = ""
session.Save(r, w)
// prevent caching
w.Header().Set("Cache-Control", "no-cache, private, max-age=0")
w.Header().Set("Pragma", "no-cache")
w.Header().Set("X-Accel-Expires", "0")
}
func main() {
http.HandleFunc("/secret", secret)
http.HandleFunc("/login", login)
http.HandleFunc("/logout", logout)
http.ListenAndServe(":8000", nil)
}
Upvotes: 1
Views: 720
Answers (1)
Reputation: 1363
I am afraid there is no way to "fix" your code without using JavaScript and changing the "secret" page before leaving it.
The problem is not in Go, or in gorilla/sessions, or even in HTTP: it is in the way the web browsers perform caching: at least in Firefox and Chrome, when going "back" and "forward" the browsers just display the cached page from disk, ignoring completely the headers.
Oh, and BTW: to try to force the browsers to stop caching a page, you should add those lines to the "secret" handler, and not to the "logout" one.
Upvotes: 1
Related Questions
- How do I prevent removal of auth0 session cookie on refresh?
- Sign-in out clearing the session data
- Session variables survive after logout
- Magento User Sessions Being Mixed Up
- Golang & Gorilla Sessions - Cache Prevents Logout Functionality
- How to not delete session data on logout in ember simple auth
- Why a system logout occurs after the cache is cleared even though the login records are stored in the session?
- session destroy cookies on log out
- Session variables reset on the refresh of the page (logging out user)
- Remove user's Session existance after logout