Laravel Logout Caching Issue

- PHP, LARAVEL

This is an issue which I’m sure effects many frameworks and custom sites. Because I work mainly with the Laravel, I’m using the framework to illustrate this issue. The video below demonstrates how browsers can cache pages that require authorisation. The cached pages can sit in a browser’s history long after the user has logged out. This could allow unauthorized users to use the browser’s back button to view private pages.

Laravel Logout Caching Issue Video

After a bit of Googling, I found an excellent post by David Beitey. In this post, he outlines the required headers, to tell a browser not to cache a page. Inspired by this post I created the following middleware. When this middleware is added to pages that require authorisation it will stop browsers caching the sensitive pages.

<?php

namespace App\Http\Middleware;

use Carbon\Carbon;
use Closure;

class PrivateResponse
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $response = $next($request);

        $response->withHeaders([
            'Cache-Control' => 'no-store, no-cache, max-age=0, must-revalidate, private',
            'Expires'       => Carbon::now()->format('D, d M Y H:i:s T'),
        ]);

        return $response;
    }
}