2

Once I logged out from my Symfony2 app I can press back button and I can still see password protected pages pulled from browser cache.

I have simple:

$session = $request->getSession();
$session->clear();

in my logoutAction.

Any idea how to do prevent this?

pregmatch
  • 2,629
  • 6
  • 31
  • 68
  • 1
    how about adding a listener that adds the no-cache header to all responses by protected pages ... or one that adds a different etag based on the session-id? just a quick idea. – Nicolai Fröhlich Nov 27 '13 at 21:26

3 Answers3

0

No cache header with annotation

This is an answer I found and used for one of my own projects. However it can be tailored to match against specific routes, in which case you could create a service that informs the event listener when and when not to do this.

Community
  • 1
  • 1
Flosculus
  • 6,880
  • 3
  • 18
  • 42
0

An easy way to implement headers to prevent caching for your restricted routes is provided by LiipCacheControlBundle.

You can get a an idea of how it works by looking at this configuration example.

A list of headers that can be used to prevent caching:

Cache-Control: (HTTP > 1.1)

  • no-cache
  • must-revalidate
  • no-store
  • max-age=0

Pragma (the HTTP 1.0 version of Cache-Control)

  • no-cache
Nicolai Fröhlich
  • 51,330
  • 11
  • 126
  • 130
0

If you are using Symfony 2.5.* could be a security flaw that comes from the browser cache. The general (but not complete) solution is to send "Expire" headers that the browser may (or may not) pay attention to when you use the back-button behaviour. Here's the Symfony docs for HTTP Cache headers

ioses
  • 997
  • 1
  • 8
  • 11