Liam Morley
2008-Nov-24 02:40 UTC
What to do when a user logs out, then presses the back button?
There are two cases I''m concerned about here when a user logs out, then clicks the back button: 1. the user presses the "back" button and goes back to a page that would otherwise require authentication Right now, the existing page is still kept in cache, so private data is still being seen. I''m guessing I''ll be using Rails'' new ETag support here, and I was just looking to see how everybody else has been handling this since before 2.2; this is less of a concern than #2, which is... 2. the user presses the "back" button and goes to a public page The data in this case is not sensitive, but because Rails forms use authenticity tokens that are tied to the session, the session becomes invalidated after logging out. If the user presses the back button and then clicks "log out" again, an InvalidAuthenticityToken error is thrown; I''d really rather not show a 500 error page if this happens. Any ideas how to avoid it? (Is it a bug in rails if there''s no way to avoid this?) So the burning question on my mind here is, how do I avoid throwing an InvalidAuthenticityToken error, should a user log out, click ''back'', then click on ''log out'' again? (This question is posed by a client, so I can''t just ignore this edge case.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Liam Morley
2008-Nov-24 13:32 UTC
Re: What to do when a user logs out, then presses the back button?
On Mon, Nov 24, 2008 at 4:30 AM, Frederick Cheung < frederick.cheung-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > 2. the user presses the "back" button and goes to a public page >> >> The data in this case is not sensitive, but because Rails forms use >> authenticity tokens that are tied to the session, the session becomes >> invalidated after logging out. If the user presses the back button and >> then clicks "log out" again, an InvalidAuthenticityToken error is >> thrown; I''d really rather not show a 500 error page if this happens. >> Any ideas how to avoid it? (Is it a bug in rails if there''s no way to >> avoid this?) >> >> You should be able to rescue that exception (see rescue_from etc...) > > FredFred, thanks for responding - I''m not sure if I can, because the exception is generated and thrown in the framework before it even gets to the controller. Where would I rescue from? Liam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2008-Nov-24 13:39 UTC
Re: What to do when a user logs out, then presses the back button?
On Nov 24, 1:32 pm, "Liam Morley" <imo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Mon, Nov 24, 2008 at 4:30 AM, Frederick Cheung < > > >> You should be able to rescue that exception (see rescue_from etc...) > > > Fred > > Fred, thanks for responding - I''m not sure if I can, because the exception > is generated and thrown in the framework before it even gets to the > controller. Where would I rescue from? >with rescue_from hopefully. Or with an around filter if that doesn''t work (token verification is just another filter after all). Fred> Liam--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---