可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
I am new to Laravel 5 and trying to make a simple authentication page. My problem is i can logout properly after i click to logout link but if i click to back button of the browser, still able to see the content of the page which actually should not be seen with respect to my auth middleware process. I read i can prevent this by disabling caching but don't think it is the best way to do this so how can i make this in a better way ? Simply my logout route is
Route::get('logout', array('uses' => 'LoginController@logout'));
Logout function is:
public function logout() {
Auth::logout(); // logout user
Session::flush();
Redirect::back();
return Redirect::to('pages/login'); //redirect back to login
}
回答1:
When the user clicks the back button they're not actually logged in, its just the browser rendering what it has cached from previous page views. The user won't be able to navigate or interact with anything that requires them to be logged in because, to your application on the server, they're not authenticated.
When the user clicks the back button you have no control over that as it doesn't make a request to the server.
Using the back button, the only content they'll be able to view is that what they have already visited whilst logged in. If they try to access anything new, they'll make a new request to your application, your middleware will trigger and redirect them to the login page.
I guess if you really wanted to stop this behavior you could use some JavaScript and such to send an ajax request and check if the user is logged in that way, but quite useless from a security point of view.
回答2:
Create a middleware using artisan:
php artisan make:middleware RevalidateBackHistory
Within RevalidateBackHistory middleware, we set the header to no-cache and revalidate:
<?php
namespace App\Http\Middleware;
use Closure;
class RevalidateBackHistory
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
return $response->header('Cache-Control','nocache, no-store, max-age=0, must-revalidate')
->header('Pragma','no-cache')
->header('Expires','Fri, 01 Jan 1990 00:00:00 GMT');
}
}
Update the application’s route middleware in Kernel.php:
protected $routeMiddleware = [
.
.
'revalidate' => \App\Http\Middleware\RevalidateBackHistory::class,
.
.
];
And that’s all! So basically you just need to call revalidate middleware for routes which require user authentication.
回答3:
Step 1 : create one middleware using following command:
php artisan make:middleware PreventBackHistory
Step 2:
replace content of PreventBackHistory.php with following content:
<?php
namespace App\Http\Middleware;
use Closure;
class PreventBackHistory
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
return $response->header('Cache-Control','no-cache, no-store, max-age=0, must-revalidate')
->header('Pragma','no-cache')
->header('Expires','Sun, 02 Jan 1990 00:00:00 GMT');
}
}
step 3: register middleware in kernal.php
'preventBackHistory' => \App\Http\Middleware\PreventBackHistory::class,
And good to go :)
回答4:
A method I have used is to simply redirect to the previous page after logout.
So long as the previous page was secured, the auth middleware will kick in and redirect you back to the login page. Now when you click the back button the previous page is no longer cached and you just get the login page again.
Original discussion: https://laracasts.com/discuss/channels/requests/back-button-browser
public function logout() {
Auth::logout(); // logout user
return redirect(\URL::previous());
}
回答5:
You can overwrite logout method in your AuthenticatesUsers trait as:
public function logout(Request $request)
{
$this->guard()->logout();
$request->session()->invalidate();
return $this->loggedOut($request) ?: redirect()->back();
}
回答6:
Try redirecting to a protected route with auth middleware:
return redirect('home');
so it will force redirect to the login page & the back button will not show the previous page