I just added a simple login using tornado.web.authenticated based off of some tutorials online. Unfortunately, after logging out successfully, when I press the back button on my browser, I'm still able to see logged in pages. Is there a way to trigger the login screen for pages in the browsing history?
Edit: To clarify, I am already using the @tornado.web.authenticated annotation and it is working well for the normal use cases, but I am running into the issue that when going back using the browser's Back button, I am still able to see pages as if I were logged in. I am hoping that there is a way to address this potential security issue.
When you hit the back button after logout, your browser loads the previous page from cache. To prevent protected pages from being cached, you must set the following headers as described in this question
self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.set_header('Pragma', 'no-cache')
self.set_header('Expires', '0')
You could put that in a decorator, something like:
def protected(method):
@tornado.web.authenticated
@functools.wraps(method)
def wrapper(self, *args, **kwargs):
self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.set_header('Pragma', 'no-cache')
self.set_header('Expires', '0')
return method(self, *args, **kwargs)
return wrapper
Then decorate your protected pages with @protected instead of @tornado.web.authenticated.
Use the authenticated decorator on your method, that will make sure and redirect user to login page.
login_url should be configured part of the settings -
settings = dict({
"login_url": "/#login",
.....
})
and decorator should be added like -
class Home(BaseHandler):
@tornado.web.authenticated
...
Edit - User should be logged out, you can check by pressing F5, and it will redirect you to login page. If it shows you the content its just a cache issue and you might have to clear the cache explicitly.
来源:https://stackoverflow.com/questions/21680881/tornado-web-authenticated-back-button-issue