I am using ActiveAuthentication with success. However, I have discovered a problem. In IE, when I am in one page and I make logout, everything works fine. If I click on the "back" button, the login page is displayed.
On firefox, when I am on a page, I make a logout, the login page is displayed. But if I click on "back" button I can still access on the application page. It seems that the session as not been closed...
I guess its the Firefox browser caching problem, as it cache the page on the local system, to verify this you can see the page hits in the server logs.
When you logout and press the back button there is no hit in the server logs for the previous URL.
So what you need to do is secure the whole of the application pages which requires authentication by using the before_filter validations, so if the user press the back button and try to perform some function he will be redirected to the login page for re-login,
( when you go on the back page, try to access some page with requires the session authentication you will know that the session has been closed if you closed it on the logout action! :) )
Yes, that's it. When i hit the back button on firefox, no action is executed but the previous page is displayed. In that page if I hit a button to execute an action, than the login page is displayed. It means that the session was closed with success.
I will try to find a solution to not show the previous page but the problem is defenitively not ActiveAuthentication.
Firefox even save a number of previous page in its cache history (may be all of them have some DB oriented dynamic information ! ) and when we press the back button it show us form the cache, this was one of the firefox's older version's bug that it stores too many history pages in cache which makes the firefox using a huge memory for cacheing and it gets slower and perhaps also starts hanging.
But i guess this problem has been solved in some way like storing too many pages in cache is now may be dependent on some function like visiting time of the page or the number of last pages in history to reduce in memory usage but still it cache a number of pages!
I didn't got time to research or explore on this topic later, but if you solve the problem of disabling the previous page or making it forceful to get some specific DB oriented pages every time from the server, please post it here so many of the developers get that useful solution including me. :)
This is not a critical problem generally because caching saves the network bandwidth resources, but it will be critical in the applications which have some confidential information and when user sign out it shouldn't show the previous pages.
One solution is that you shift your post authentication secure pages based on the SSL protocol https, and it works well when the pages are using https :).