Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

cytisay's avatar

prevent user to go back to last page visited after clicking logout button

How do I prevent the user to go back to dashboard page (or any page last visited before logging out) after clicking the logout?

My logout works but I need to refresh the page first before losing total access to the authenticated pages. I am using Laravel + Inertia and based on the discussions I've searched about my concern is that, the user can go back to the page last visited before logging out because the whole system does not reload. But, after reload.. the session is totally destroyed.

In relation to this, same case also happens once the user logged in and pressed the back button, it goes back to the login page. How do I prevent these events to happen? For your reference, here's the block of codes I used for my logout in my AuthenticatedSessionController:

public function destroy(Request $request): RedirectResponse
    {
        Auth::guard('web')->logout();

        $request->session()->invalidate();

        $request->session()->regenerateToken();

        return redirect()->route('login');
    }

And here's a sample of my route:

Route::middleware(['auth', 'user-access:applicant'])->group(function (){
    Route::get('/applicant/dashboard', [ApplicantController::class, 'ApplicantDashboard'])->name('applicant.dashboard');

    Route::get('/applicant/profile', function () {
        return Inertia::render('Applicant/Profile');
    })->name('applicant.profile');
});
0 likes
1 reply
Snapey's avatar

If you have sensitive pages, you can tell the browser not to cache the content, however this will slow the performance if the user regularly loads the same page;

Middleware file NoCacheHeaders

<?php

namespace App\Http\Middleware;

use Closure;

class NoCacheHeaders
{
    /**
     * Add set no caching HTTP headers.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @param  string|array  $options
     * @return \Symfony\Component\HttpFoundation\Response
     *
     * @throws \InvalidArgumentException
     */
    public function handle($request, Closure $next, $options = [])
    {
        $response = $next($request);

        $response->headers->set('Expires', 'Fri, 01 Jan 1990 00:00:00 GMT');
        $response->headers->set('Cache-Control', 'no-cache, must-revalidate, no-store, max-age=0, private');

        return $response;
    } 

}

The browsers view it as , you have seen this content, no harm in allowing you to go back. Security advice is to close the session after logging out if you want to prevent someone else looking at the content.

Please or to participate in this conversation.