{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Juvenile、少年° 的问题《Prevent Browser's Back Button Login After Logo》','https://www.manongdao.com/q-1178108.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am new to Laravel 5 and trying to make a simple authentication page. My problem is i can logout properly after i click to logout link but if i click to back button of the browser, still able to see the content of the page which actually should not be seen with respect to my auth middleware process. I read i can prevent this by disabling caching but don't think it is the best way to do this so how can i make this in a better way ? Simply my logout route is
Route::get('logout', array('uses' => 'LoginController@logout'));
Logout function is:
public function logout() {
Auth::logout(); // logout user
Session::flush();
Redirect::back();
return Redirect::to('pages/login'); //redirect back to login
}
Step 1 : create one middleware using following command:
Step 2:
replace content of PreventBackHistory.php with following content:
step 3: register middleware in kernal.php
And good to go :)
Create a middleware using artisan:
Within RevalidateBackHistory middleware, we set the header to no-cache and revalidate:
Update the application’s route middleware in Kernel.php:
And that’s all! So basically you just need to call revalidate middleware for routes which require user authentication.
Try redirecting to a protected route with auth middleware:
so it will force redirect to the login page & the back button will not show the previous page
You can overwrite logout method in your AuthenticatesUsers trait as:
When the user clicks the back button they're not actually logged in, its just the browser rendering what it has cached from previous page views. The user won't be able to navigate or interact with anything that requires them to be logged in because, to your application on the server, they're not authenticated.
When the user clicks the back button you have no control over that as it doesn't make a request to the server.
Using the back button, the only content they'll be able to view is that what they have already visited whilst logged in. If they try to access anything new, they'll make a new request to your application, your middleware will trigger and redirect them to the login page.
I guess if you really wanted to stop this behavior you could use some JavaScript and such to send an ajax request and check if the user is logged in that way, but quite useless from a security point of view.
A method I have used is to simply redirect to the previous page after logout. So long as the previous page was secured, the auth middleware will kick in and redirect you back to the login page. Now when you click the back button the previous page is no longer cached and you just get the login page again.
Original discussion: https://laracasts.com/discuss/channels/requests/back-button-browser