Security issue, can navigate to previous pages even after logged out of session #102
Comments
|
This is actually true of all server rendered applications, and just the way the browser works by default. Try it here on GitHub even for example 👍🏻 |
|
Oh man you're right.. just tried it with a different Laravel app with normal pages, and it happens there too. I guess I'll have to find some other way to get around this. The reason I'm concerned about this is because this app will likely be used in a computer lab with lots of different users with their own sensitive data, where they might log out but not close the browser. FYI, GitHub doesn't seem to have this issue. Logged out and navigated back, forced a page refresh. |
|
Weird, happens for me on GitHub! But yeah pretty normal browser behavior unfortunately for your case :/ |
|
@adamwathan Well, FWIW, I did solve this particular issue for me as best as I could figure out. It was a little more difficult than normal, because my logout made an Inertia request instead of a full page reload. So, I did two things.
// Inertia code
axios.post('/logout').then(() => { window.location.href = '/login' })// Laravel middleware
public function handle($request, Closure $next)
{
$response = $next($request);
if (strpos($response->headers->get('Content-Type'), 'text/html') !== false) {
return $response->header('Cache-Control','no-cache, no-store, max-age=0, must-revalidate')
->header('Pragma','no-cache')
->header('Expires','Sun, 02 Jan 1990 00:00:00 GMT');
} else {
return $response;
}
}This means that upon logout, it will remember that the HTML the app is loaded in is not cached, and the back button will try to reload the page rather than just take the cached page. The middleware alone would work for a normal Laravel app, but this didn't apply with Inertia because the logout didn't do a full page reload. |
|
Just out of curiosity are you using the auth/guest middleware to protect your routes? |
|
@gregupton yep, using It turns out that @adamwathan is right about this being standard behavior, even for non-Inertia apps, which freaked me out. The standard solution to this issue is to just apply the above middleware, which works when all the pages are regular, server-rendered Blade pages or whatever. But with Inertia I had to force the page to fully reload upon logout so that a different user couldn't just sit down and hit the back button, seeing the previous page. |
|
After looking into this myself I've made a few discoveries.
The full page refresh happens because the headers tell the browser it must not cache pages and get the page from the server every time. This is how you can make web apps more secure when necessary. However, it doesn't seem that Inertia is taking this into account when it makes its ajax calls. I think it should. I wonder if this issue should be reopened so we can explore a solution? I've opened a new issue #247 to discuss this further. |
|
Hello everyone, does anyone have a work around on this? I also noticed this behaviour and I was not able to find any solutions. |
|
It has been over a year since this was last active... has anyone figured out a solution to this? I tried setting a bunch of headers like |
I think this has to do with the way Inertia saves props in the history.pushState, but I'm able to navigate back and forth on pages even after I'm logged out, and see all the data in their full glory. Is there some way to force a refresh after logged out after a session?
The text was updated successfully, but these errors were encountered: