I just added a simple login using tornado.web.authenticated based off of some tutorials online. Unfortunately, after logging out successfully, when I press the back button on my browser, I'm still able to see logged in pages. Is there a way to trigger the login screen for pages in the browsing history?
Edit: To clarify, I am already using the @tornado.web.authenticated annotation and it is working well for the normal use cases, but I am running into the issue that when going back using the browser's Back button, I am still able to see pages as if I were logged in. I am hoping that there is a way to address this potential security issue.
When you hit the back button after logout, your browser loads the previous page from cache. To prevent protected pages from being cached, you must set the following headers as described in this question
self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.set_header('Pragma', 'no-cache')
self.set_header('Expires', '0')
You could put that in a decorator, something like:
def protected(method):
@tornado.web.authenticated
@functools.wraps(method)
def wrapper(self, *args, **kwargs):
self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.set_header('Pragma', 'no-cache')
self.set_header('Expires', '0')
return method(self, *args, **kwargs)
return wrapper
Then decorate your protected pages with @protected instead of @tornado.web.authenticated.