Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, I wanted to know is there any alternative to prevent users to block from going to the previous page after logging out. I know the user is logged out after you click on logout, but still, if there is any sensitive information, it can be viewed after you click on the back button. I am using larvael 8 with vue, jetstream and inertia.js. I tried with Laravel middleware with no-cache but still no luck. Below is my code in middleware
public function handle($request, Closure $next)
{
$response = $next($request);
$response->headers->set('Cache-Control','nocache, no-store, max-age=0, must-revalidate');
$response->headers->set('Pragma','no-cache');
$response->headers->set('Expires','Sun, 02 Jan 1990 00:00:00 GMT');
return $response;
}'
Kernel
protected $routeMiddleware = [
.
.
.
'preventBackHistory' => \App\Http\Middleware\PreventBackHistory::class,
];
and i use this middleware for all auth routes after registering it in kernel. Still it takes me back to the previous page if i hit back after logging out. I think using above method of clearing chahe also brings up the performance issue. So i want to know what is the best possible way to achieve this. Thanks in advance.
I am still waiting for an answer, or some suggestion at least, what I realized is from a single page application point of view using inertia and jetstream on laravel, server-side everything is working fine. The issue is on the client's browser which is storing the history. how to prevent or clear it?
Upon logout redirect to another page, perhaps make one that says you are now logged out. For javascript solution look at window.location.replace.
@ruturaj.vaidya22 Add middleware to your admin routes that indicates responses should not be cached:
Route::group([
'as' => 'admin.',
'middleware' => [
'cache.headers:private',
],
'prefix' => '/admin',
], function () {
// Your admin panel routes...
});
@martinbean these headers do nothing. Tried no-cache, no-store, max-age=0, must-revalidate and mentioned private.
Tested on Inertia's demo app. You can observe the history navigation behavior on the live demo app - demo.inertiajs.com. Basically, you can log in, do some stuff in the app, log out, browse some other websites and when you are bored, you can navigate all the way back in the middle of the inertia app with the back button and see everything. Is that's how it is supposed to work?
Also tried to stick window.location.replace('/'(default auth route)) on login request and window.location.replace('/login'(default guest route)) on logout request. This method worked the best BUT it failed a couple of back-button-spam tests. Not sure why, can't recreate it anymore, therefore I don't have the confidence in this method.
Is that's how it is supposed to work?
@mkrisjanis Yup. This exact issue was brought up on the GitHub repository for Interia and the maintainer basically went, “Yeah, can see this is a problem. But it’d break scroll restoration.”
The fact that they’d prioritise a scrollbar being in the same spot you left it over genuine security concerns is a reason I’ll never use nor recommend Inertia.
Issue for reference: https://github.com/inertiajs/inertia/issues/247
@martinbean I believe also adding a location.reload(); will handle security. You can still see where you were, but after logout and a location.reload(); you can't do anything, edit etc. But that is also true for non ajax web pages also.
@martinbean, @mkrisjanis, @jlrdw so basically there is no possible way to prevent the browser from going back to the previous page after logout while using inertia stack? I will try with location.reload(); as mentioned by @jlrdw and revert back.
@Ruturaj.Vaidya22 just remember the reload is after a logout.
ok
@jlrdw before putting location.reload(), I tried reloading the page manually after logout, still, it goes back to the previous page.
@Ruturaj.Vaidya22 try the window.location.replace('some-app-route') on log in/log out method. Test it out. The only time it failed for me was right after I set it up, I think the browser got confused with all the history I built right before these changes.
There is also a navigate Inertia event that is triggered on back/forward buttons too. Perhaps that can be useful with some route conditions. But that's just another hack.
@martinbean That's crazy to me. Is this really not that big of a deal to be able to back up and view all the data? You can do it on laracasts too - navigate to a place you don't want anyone to see on your account settings, log out, back - Boom! you see it now. I guess I should appreciate the scroll bar more. Let's just hope no one builds something like a 'little too simple' password management app with inertia and misses this issue.
@mkrisjanis Yup. I was horrified when I saw how blasé they were at such a huge security issue. And it frustrates me even more than people will drink the Kool-Aid for things like Inertia or Livewire or whatever and not realise that issues like this exist.
Another common one is people just dumping entire models into their Inertia props, and then complaining sensitive column values are being leaked to the client-side.
@martinbean was actually pumped to use inertia since I really like Vue and spa setup without it is quite a task. But I guess a solid manual API - SPA setup will be better than a package with hacky patches here and there.
@mkrisjanis I use Fetch js. But I noticed that logging out here on forum you can hit back and see last stuff displayed. You can't do nothing, if you try it redirects to login. But I once worked for the State of Texas, at Department of Aging and Disability Services (DADS). And a logout was required and no trace of information left behind. Because of HIPAA. (All current programs were to be closed).
In my opinion only, I wouldn't use Inertia for sensitive data.
But at DADS, you were required (by law) to log out and close anything you had opened if leaving the computer for (bathroom, breaks, etc).
The problem is not every company that deals with sensitive information enforces strict standards.
Again just an opinion and some thoughts on it.
One solution that I found for this problem is using VUEX, so I update data in store and I can access live/updated things in every component, so right after I logout using the method you see down below , I also update data in VueX store, so if use wants to go back using back button of their browser, it redirects it back to login page! So! this is one method however, I'm not sure if it is quite safe & secure or not but it fully works for me!
Logout method
Inertia.post(route('logout'), null, {
onStart: () => (data.progress = true),
onFinish: () => {
data.progress = false
store.dispatch('toggleLoggedOut', true)
},
})
Redirect back to login page after logout!
onMounted (() => {
if (store.getters.loggedOut) {
Inertia.visit(route('login'), {})
}
})
What about using a separate layout file for the restricted area? There an axios request in the onBeforeMount Hook could check if the given user is logged in. If so the page renders, if not, the user is redirected to the login page. The downside is, that this request is fired on each page, but in real life you will hardly notice that.
Please or to participate in this conversation.