myieye
commented
1 day ago The browser is simply pulling things out of its cache.
- One page was always SSRed. For admins that's often the admin page.
- All the load-function request responses are inlined in the SSRed page.
- So, as long as no requests were only done client-side (e.g.
query projectChangesetson the project page only happens client-side), no requests will hit either SvelteKit or the API, so we won't detect that the user isn't authenticated anymore. - Even on the project page, the user can briefly see project info before we chase them away.
We clear the GQL cache and invalidate SvelteKit stuff (by simply doing a full page load), but we never clear the browser cache, because we can't.
So, I think the only bullet-proof way to handle this is to disable the browser cache (for relevant requests) e.g.:
response.headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, private');
response.headers.set('Pragma', 'no-cache');
response.headers.set('Expires', '0');Any other solution will have holes, but they might still be worth considering E.g.:
- On logout, we could explicitly set the cookie in the browser to something (e.g. "INVALID") and check for that value on authenticated pages, redirecting back to the login if we detect it.
- We could play with browser history, so that the back button doesn't work (e.g. insert an item that always redirects to the login) but that's sort of pointless, because the back button isn't the only way to navigate browser history.
hahn-kev
Describe the bug When you log out your local cache should be cleared and clicking back should not be able to take you to a page with sensitive data
To Reproduce
Expected behavior trying to go back should just redirect you back to the login page. Additionally we should figure out where the data is coming from that is being displayed when you go back as the cache should have also been cleared.