Introduction
When we create a web project in laravel, even after logging out of the project, clicking on the browser back button usually takes us back to the previous page we opened when we were logged in. This is a very big security issue that can arise in any web application as the data will be visible to anyone without even logging in to the application. The data that shows can also contain confidential information.
This issue occurs because of browser caching. A browser usually maintains the cache for every site it opens, in order to make sure the user experiences faster speed. It uses that loaded cache the next time when the user visits the same page. Therefore, it is required to prevent the browser back button to access web pages after the user logs out.
Follow these steps to prevent the browser’s back button after user logout:
1. Create a new middleware:
In order to create middleware, run the following command –
php artisan make: middleware PreventBackHistory
Here, PreventBackHistory is just the name of the middleware, we can provide any name to it.
2. Configure Middleware:
Open up PreventBackHistory.php file in app/Http/Middleware and add the following code –
public function handle($request, Closure $next) {
$response = $next($request);
$response->headers->set('Cache-Control','nocache, no-store, max-age=0, must-revalidate');
$response->headers->set('Pragma','no-cache');
$response->headers->set('Expires','Sun, 02 Jan 1990 00:00:00 GMT');
return $response;
}
Here, in the above code, we are setting the headers of each request that comes to our web application. All the requests coming to web application will pass through this handle where its cache is being removed and no-cache header is set to it. Therefore, each time when a request will come, this middleware will remove the cache and will re-authenticate the user before showing any web page. In this way, after logging out, browser cache will not be used and the user will not be allowed to view any previous page through the back button.
3. Register in Kernel:
Open Kernel.php file in app/Http folder and add this new middleware in $routeMiddleware variable array as below:
'prevent-back-history' => \App\Http\Middleware\PreventBackHistory::class
Here, we are registering our middleware to be able to use it in our web application.
4. Update Routes:
In web.php file under routes, update the middleware routes to include this middleware also. For instance, suppose if the route is like
Route::middleware('otherMiddlewareName')->group(function () {
Then change it to
Route::group(['middleware' => ['prevent-back-history','otherMiddlewareName']],function(){
Here, ‘otherMiddlewareName’ is simply the name(s) of other middlewares, if used any, in the project.
This above code will execute upon request on any page that is defined in that middleware route group. It will apply the middleware we created to the routes in its group and will refresh the cache of the browser to check if the user is authenticated to view that page or not. If the user is already logged out, then it will not allow viewing the pages that are accessible to only logged-in users.