So Many Fish

One of the sites I’m working on has health related information, which is very important to keep private. In particular, after the user logs out, we have to make its pages unavailable via the Back button. it took some work to convince all browsers we meant it, but here’s what works for Safari 3, Firefox 2 & 3 (Mac OS 10.4 Intel), IE 7, Firefox 2 & 3 (Win XP and Vista), IE 6 (Win 2K):

Set the response headers in an after_filter:

def set_header
#Date in the past
headers[”Expires”] = “Mon, 26 Jul 1997 05:00:00 GMT”
#always modified
headers[”Last-Modified”] = “Mon, 26 Jul 1997 05:00:00 GMT”
headers[”Cache-Control”] = “no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0″
#HTTP/1.0
headers[”Pragma”] = “no-cache”
 end

To make Safari behave, add this to all pages:

<iframe style=”height:0px;width:0px;visibility:hidden” src=”about:blank”>
This frame prevents back forward cache in Safari.
</iframe>

Tags: Rails //