Authentication generator controller clears browser cache at logout

flavorjones · mrpasquini · commit fd3ec9a64418 · 2025-01-23T15:00:04.000-08:00
The "Clear-Site-Data" header[^1] is supported in most modern browsers, and sending it when a user signs out prevents the browser from displaying cached pages when a user hits the "back" button after logging out. [^1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
@@ -1,3 +1,10 @@
+*   The authentication generator's `SessionsController` sets the `Clear-Site-Data` header on logout.
+
+    By default the header will be set to `"cache","storage"` to help prevent data leakage after
+    logout via the browser's "back/forward cache".
+
+    *Mike Dalessio*
+
 *   Introduce `RAILS_MASTER_KEY` placeholder in generated ci.yml files
 
     *Steve Polito*
diff --git a/railties/lib/rails/generators/rails/authentication/templates/app/controllers/concerns/authentication.rb.tt b/railties/lib/rails/generators/rails/authentication/templates/app/controllers/concerns/authentication.rb.tt
@@ -49,4 +49,8 @@ module Authentication
       Current.session.destroy
       cookies.delete(:session_id)
     end
+
+    def clear_site_data
+      response.headers["Clear-Site-Data"] = '"cache","storage"'
+    end
 end
diff --git a/railties/lib/rails/generators/rails/authentication/templates/app/controllers/sessions_controller.rb.tt b/railties/lib/rails/generators/rails/authentication/templates/app/controllers/sessions_controller.rb.tt
@@ -16,6 +16,7 @@ class SessionsController < ApplicationController
 
   def destroy
     terminate_session
+    clear_site_data
     redirect_to new_session_path
   end
 end
