Handling navigation from the browser's Back button after Logout in Play Framework.

Table of contents

Reading Time: 3 minutes

PROBLEM

While developing any web application most of us have seen a common glitch where by hitting ‘Back’ button of the browser after successful sign-out, we would still get to see the pages which should only be visible if our session is alive.

PREREQUISITES

The scenario I am referring to is the one where we have already handled all the cases in the server side code for redirecting the user to login page if their session does not exist while making an attempt to see the authenticated content.

CAUSE

The problem is caused by the history maintained by the browser itself. The Back button of the modern browsers fetches the previously navigated page from the history instead of fetching it from the server in order to optimize the response delay. Since the page is not coming from the server we cannot have the authentication logic to work and perform a redirection.

FIX

To fix this issue we may add HTTP headers in the request responsible for serving the page that tells the browser to get these pages directly from the server every time instead of the cache or history of browser.

IMPLEMENTATION

We will be using filter API in play framework to make changes in every request. To know more about the filters and how they are used, read this documentation : Play 2.4 filter API

RELEVANT CODE

Custom filter that would add the http headers in each request

package controllers

import play.api.http.HttpFilters
import play.api.libs.concurrent.Execution.Implicits.defaultContext
import play.api.mvc._

import scala.concurrent.Future

/**
  * Filter to add HTTP headers in all requests and prevent browser caching for all the response pages
  * Created by justin on 1/24/16.
  */

object DisableBrowserCache extends Filter {

  def apply(nextFilter: RequestHeader => Future[Result])
           (requestHeader: RequestHeader): Future[Result] = {

    nextFilter(requestHeader).map { result =>

      result.withHeaders("Cache-Control" -> "no-cache, no-store, must-revalidate",
        "Pragma" -> "no-cache",
        "Expires" -> "0")
    }
  }
}

class MyHttpFilter extends HttpFilters {
  val filters = Seq(DisableBrowserCache)
}

Add this line in the application.conf file of your play-application

play.http.filters = controllers.MyHttpFilter

Sample controller Actions and the flow that would be required for this to work

package controllers

import play.api.mvc._

object Application extends Controller {

def signIn = Action {
Ok(views.html.signIn("Credentials required")) // form action on this view would be 'redirectProfile'
}

def redirectProfile = Action { implicit request =>
//write your Authentication logic here
//redirect to your profile or sign-in page depending whether user is authenticated
Redirect(routes.Application.profile()).withSession("userID" -> "SomeUniqueID") //session is having user's identity
}

def profile = Action{ implicit request =>
//check whether user's identity can be found in session or not
request.session.get("userID").fold{
Ok(views.html.signIn("Session Does not exist - Sign In Again"))
}{
sessionExists =>
Ok(views.html.profile("Successfully signed in  - User's Profile Page"))
}
}

def signOut = Action {
//destroy user's session when user opt for sign-out
Ok(views.html.signIn("Successfully signed out - Sign In Page")).withNewSession
}

}

ADVANTAGES

That’s all there is to fix the issue of “back-button-after-logout” panic, in play-application. This fix is not gonna require any special java-script to disable the redirection and we won’t have to disable the Back button’s functionality.

POTENTIAL DRAWBACKS

But as always there is a trade off in this scenario as well, we may see some decrease in performance if the application is not very dynamic i.e. If you want to cache the whole HTML page within the browser cache. Also this fix is reliable only for the modern browsers and may not support legacy HTTP 1.0 on all previous versions.

Note: we have tested this fix on chrome 47.0.2526.111 (64-bit), firefox 37.0 and safari 9.0