Destroying a session clears the browser cache for the site

The "Clear-Site-Data" header[^1] is supported in most modern browsers, and sending it when a user signs out prevents the browser from displaying cached pages when a user hits the "back" button. This helps prevent exposure of data if a user logs in to a site on a public computer, for example. [^1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
flavorjones · Jan 13, 2025 · 40d0cb0 · 40d0cb0
1 parent e7c0592
commit 40d0cb0
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/...s/generators/rails/authentication/templates/app/controllers/concerns/authentication.rb.tt b/...s/generators/rails/authentication/templates/app/controllers/concerns/authentication.rb.tt
@@ -49,4 +49,8 @@ module Authentication
       Current.session.destroy
       cookies.delete(:session_id)
     end
+
+    def clear_site_data
+      response.headers["Clear-Site-Data"] = '"cache","storage"'
+    end
 end
diff --git a/...rails/generators/rails/authentication/templates/app/controllers/sessions_controller.rb.tt b/...rails/generators/rails/authentication/templates/app/controllers/sessions_controller.rb.tt
@@ -16,6 +16,7 @@ class SessionsController < ApplicationController
 
   def destroy
     terminate_session
+    clear_site_data
     redirect_to new_session_path
   end
 end