如何在用户注销后清除浏览器缓存,以防止通过“后退”按钮访问私人信息

时间:2022-11-19 12:06:27

After a user logs out, if they hit the back button, they can go back to the last page they were on before logging out.

用户退出后,如果他们点击后退按钮,他们可以在退出之前返回到他们所在的最后一页。

The app I am working on will often be used on a public computer (library or computer lab, for example) and I'd like to prevent users from being able to see anything from previous user sessions.

我正在处理的应用程序通常用于公共计算机(例如图书馆或计算机实验室),我想阻止用户查看以前用户会话中的任何内容。

I'm on Rails 3 and Devise, btw, although it seems that this issue would come up with any framework or login mechanism.

我正在使用Rails 3和Devise,顺便说一下,虽然看起来这个问题会出现任何框架或登录机制。

Is the solution to use headers/meta-tags to disable browser-caching? Anybody know of a gem or tutorial that addresses this issue?

解决方案是使用标头/元标记来禁用浏览器缓存吗?有人知道解决这个问题的宝石或教程吗?

Look forward to your advice.

期待您的建议。

3 个解决方案

#1


5  

Use the below code in application controller .. it works for me. Hope this will help you. Thank you!!

在应用程序控制器中使用以下代码..它适用于我。希望这会帮助你。谢谢!!

code

before_filter :set_cache_buster

def set_cache_buster
   response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
   response.headers["Pragma"] = "no-cache"
   response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end

#2


3  

Being on Rails, you can easly setup everything placed in the public folder with an aggressive cache, and cherry-pick what else can be safetly cached, like the public "about" page.

在Rails上,您可以使用积极的缓存轻松设置公共文件夹中的所有内容,并且可以安全地缓存其他可以缓存的内容,例如公共“关于”页面。

You should set Cache-Control: no-cache to prevent the browser to cache HTML pages, XML, JSON containing sensitive informations (basically anything that is accessible only with a proper login) and set a more aggressive cache for static assets like css and images.

您应该设置Cache-Control:no-cache以防止浏览器缓存包含敏感信息的HTML页面,XML,JSON(基本上只有正确登录才能访问的内容),并为静态资产(如css和图像)设置更积极的缓存。

  • Good candidates for aggressive cache are the css and images used within your application and public pages.
  • 积极缓存的良好候选者是应用程序和公共页面中使用的css和图像。
  • Good candidates for a no-cache are anything accessible after a login (i.e. if you are storing images that should be accessible only to tis owner, it shouldn't be cached, if you have an Ajax request for autenticated users, that XML should not be cached).
  • 无缓存的良好候选者是登录后可访问的任何内容(即,如果您存储的图像应仅对tis所有者可访问,则不应缓存,如果您对autenticated用户有Ajax请求,则XML不应该被缓存)。

#3


2  

Yes, You have to use the http headers to instruct browser not to cache the page. This page () from OWASP contains the information about how to do this.

是的,您必须使用http标头指示浏览器不要缓存页面。来自OWASP的此页面()包含有关如何执行此操作的信息。

As per the above article you can set the following header to instruct browser not to cache the page:

根据上面的文章,您可以设置以下标头来指示浏览器不要缓存页面:

HTTP/1.1:
Cache-Control: no-cache

or

要么

HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g., 0)>

Hope this helps.

希望这可以帮助。

#1


5  

Use the below code in application controller .. it works for me. Hope this will help you. Thank you!!

在应用程序控制器中使用以下代码..它适用于我。希望这会帮助你。谢谢!!

code

before_filter :set_cache_buster

def set_cache_buster
   response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
   response.headers["Pragma"] = "no-cache"
   response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
end

#2


3  

Being on Rails, you can easly setup everything placed in the public folder with an aggressive cache, and cherry-pick what else can be safetly cached, like the public "about" page.

在Rails上,您可以使用积极的缓存轻松设置公共文件夹中的所有内容,并且可以安全地缓存其他可以缓存的内容,例如公共“关于”页面。

You should set Cache-Control: no-cache to prevent the browser to cache HTML pages, XML, JSON containing sensitive informations (basically anything that is accessible only with a proper login) and set a more aggressive cache for static assets like css and images.

您应该设置Cache-Control:no-cache以防止浏览器缓存包含敏感信息的HTML页面,XML,JSON(基本上只有正确登录才能访问的内容),并为静态资产(如css和图像)设置更积极的缓存。

  • Good candidates for aggressive cache are the css and images used within your application and public pages.
  • 积极缓存的良好候选者是应用程序和公共页面中使用的css和图像。
  • Good candidates for a no-cache are anything accessible after a login (i.e. if you are storing images that should be accessible only to tis owner, it shouldn't be cached, if you have an Ajax request for autenticated users, that XML should not be cached).
  • 无缓存的良好候选者是登录后可访问的任何内容(即,如果您存储的图像应仅对tis所有者可访问,则不应缓存,如果您对autenticated用户有Ajax请求,则XML不应该被缓存)。

#3


2  

Yes, You have to use the http headers to instruct browser not to cache the page. This page () from OWASP contains the information about how to do this.

是的,您必须使用http标头指示浏览器不要缓存页面。来自OWASP的此页面()包含有关如何执行此操作的信息。

As per the above article you can set the following header to instruct browser not to cache the page:

根据上面的文章,您可以设置以下标头来指示浏览器不要缓存页面:

HTTP/1.1:
Cache-Control: no-cache

or

要么

HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g., 0)>

Hope this helps.

希望这可以帮助。