Home/ Questions/Q 6067865
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T09:39:16+00:00

I have a restricted area ‘/dashboard’ in my Express application. I use a very

  • 0

I have a restricted area ‘/dashboard’ in my Express application. I use a very small function to limit the access: 

app.get('/dashboard', loadUser, function(req, res){
  res.render('dashboard', {
    username: req.session.username
  });
});

function loadUser(req, res, next){
  if (req.session.auth) {
    next();
  } else {
    res.redirect('/login');
  }
};

The problem is that when I logout a user by calling…

app.get('/logout', function(req, res){
  if (req.session) {
    req.session.auth = null;
    res.clearCookie('auth');
    req.session.destroy(function() {});
  }
  res.redirect('/login');
});

… the session is killed but when I hit Back Button in my browser I got the restricted page from browser’s cache. This means no GET on ‘/dashboard’ and no user login validation.

I tried using no-cache in meta (Jade Template) but it still doesn’t work.

meta(http-equiv='Cache-Control', content='no-store, no-cache, must-revalidate')
meta(http-equiv='Pragma', content='no-cache')
meta(http-equiv='Expires', content='-1')

Anyone?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Josh’s answer sadly didn’t work for me.
    But after some searching I found this
    question: What's the best way to deal with cache and the browser back button?

    and adopted the answer there to this node.js/express problem.
    You just have to change the following line

    res.header('Cache-Control', 'no-cache');

    to

    res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');

    Now, everytime I use the browser back button, the page is reloaded and not cached.

    * update for express v4.x *

    // caching disabled for every route
server.use(function(req, res, next) {
  res.set('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');
  next();
});

// otherwise put the res.set() call into the route-handler you want
    • 0