- This topic has 3 replies, 2 voices, and was last updated 6 years, 3 months ago by
.
-
Posts
-
Login in with the membership page goes to a “members area” xxx.org/membership-login -> xxx.org/members-area
Click to go back to login/logout page
Click Logout – browser then goes to a welcome page (redirect)
Go the Browser back button and pick the page a few items back for the “members area”
The user is still logged in (even though a full logout was done).. The user can access private documentsThis is the behavior on Chrome
On Firefox, it shows you the “members area” page as if you were logged in, but you cannot actually go to the private documents (so I assume it is a browser cache page)Doing some debugging in Dev Tools, it appears that Chrome still has all the logged in cookies when you go back to a page after logging out – and somehow, those cookies are still valid (shouldn’t be valid after logout). In Dev Tools, if I disable the cache, everything works properly, so appears to be related to that cached info.
As far as I can tell, the cache-control on the response headers is no-cache, must-revalidate – so I’m a bit baffled why either browser serves us a page from the cache – but in any case, those cached cookies should not be proper authentication after logout
????
Hi,
Login in with the membership page goes to a “members area” xxx.org/membership-login -> xxx.org/members-area
Click to go back to login/logout page
Click Logout – browser then goes to a welcome page (redirect)
Go the Browser back button and pick the page a few items back for the “members area”
The user is still logged in (even though a full logout was done).. The user can access private documentsNormally, after a member successfully logs into your site, this login is remembered by the plugin for a few hours. This allows the user to close the browser and come back to it easily. This behavior is user-friendly so this is a common practice for membership type sites.
You can however enable the following option with prevents this from happening if the user closes the browser.
Let me know if the above makes sense to you.
Thank you
Already had tried your suggestion – it didn’t make any difference.
The “remembering” behavior that you describe is indeed quite common (ex.Remember Me setting). But this is a different problem. This is an actual Logout – not just closing a browser window. Logout should always invalidate any existing sessions. The cache-control was telling the browser to revalidate each time – so it sends a request with the existing cookie information which should have come back as invalid since the session was logged out. At which point, it would try to fetch the actual page from the server and take you back to requiring a login.
This is a different issue than closing a browser window which doesn’t inherently log a user out as you noted
Hi,
if I disable the cache, everything works properly, so appears to be related to that cached info.
Are you running a cache plugin in your site? If you are which cache plugin are you using?
The above behavior is normal if you are using cache plugins and you didn’t exclude the membership plugins registration and login forms from getting cached.
Kind regards
- You must be logged in to reply to this topic.