问题描述
我只是根据一些在线教程使用tornado.web.authenticated添加了一个简单的登录名.不幸的是,成功注销后,当我按浏览器上的后退"按钮时,仍然可以看到已登录的页面.有没有一种方法可以触发浏览历史记录中的页面的登录屏幕?
I just added a simple login using tornado.web.authenticated based off of some tutorials online. Unfortunately, after logging out successfully, when I press the back button on my browser, I'm still able to see logged in pages. Is there a way to trigger the login screen for pages in the browsing history?
为澄清起见,我已经在使用@ tornado.web.authenticated批注,并且在正常使用情况下效果很好,但是我遇到了一个问题,当使用浏览器的后退"按钮返回时,我仍然能够像登录时一样看到页面.我希望有一种方法可以解决此潜在的安全问题.
To clarify, I am already using the @tornado.web.authenticated annotation and it is working well for the normal use cases, but I am running into the issue that when going back using the browser's Back button, I am still able to see pages as if I were logged in. I am hoping that there is a way to address this potential security issue.
推荐答案
注销后单击后退"按钮时,浏览器将从缓存中加载上一页.为防止缓存受保护的页面,您必须按照
When you hit the back button after logout, your browser loads the previous page from cache. To prevent protected pages from being cached, you must set the following headers as described in this question
self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.set_header('Pragma', 'no-cache')
self.set_header('Expires', '0')
您可以将其放入装饰器中,例如:
You could put that in a decorator, something like:
def protected(method):
@tornado.web.authenticated
@functools.wraps(method)
def wrapper(self, *args, **kwargs):
self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.set_header('Pragma', 'no-cache')
self.set_header('Expires', '0')
return method(self, *args, **kwargs)
return wrapper
然后用@protected而不是@ tornado.web.authenticated装饰您的受保护页面.
Then decorate your protected pages with @protected instead of @tornado.web.authenticated.
这篇关于tornado.web.authenticated后退按钮问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!