Does Next.js has this Back Button security issue?
Unanswered
Himalayan posted this in #help-forum
HimalayanOP
https://github.com/inertiajs/inertia/issues/102
In Inertia+Laravel, whhen you logout, you can still access protected pages using the browser's back button.
Is this the same in Next.js when using Auth.js or Lucia?
In Inertia+Laravel, whhen you logout, you can still access protected pages using the browser's back button.
Is this the same in Next.js when using Auth.js or Lucia?
24 Replies
@B33fb0n3 https://github.com/inertiajs/inertia/issues/102#issuecomment-556496987
HimalayanOP
Can you setup no cache for pages behind a middleware in Next?
I have heard that there is an issue when it comes to caching and they try to make it opt-in in v15.
@!=tgt for authjs it's not a problem, idk for lucia
HimalayanOP
Could you please test it on some of your app that uses it. I haven't done anything with Next yet, to test it. Thanks in advance.
@Himalayan Can you setup no cache for pages behind a middleware in Next?
... and just the way the browser works by default.The browser is the client and nextjs is by default the server. So I don't think that you will be able to archive that
HimalayanOP
the guy @!=tgt says he can achieve that
@Himalayan https://github.com/inertiajs/inertia/issues/102
In Inertia+Laravel, whhen you logout, you can still access protected pages using the browser's back button.
Is this the same in Next.js when using Auth.js or Lucia?
1. bfcache is disabled if you send this header
2. this is not a security issue. it is the same as when the user takes the screenshot of the authenticated app, then log out. the user can read the authenticated content for that session only, but they cannot make any authenticated actions.
yes, the user can simply press the browser back button, but they cannot do anything other than sitting in that page and viewing the content. they cannot, say, submit a form in there, unless your code by itself has a security bug
Cache-Control: "no-cache, no-store, must-revalidate". It can be sent in middleware or next.config.js2. this is not a security issue. it is the same as when the user takes the screenshot of the authenticated app, then log out. the user can read the authenticated content for that session only, but they cannot make any authenticated actions.
yes, the user can simply press the browser back button, but they cannot do anything other than sitting in that page and viewing the content. they cannot, say, submit a form in there, unless your code by itself has a security bug
@joulev 1. bfcache is disabled if you send this header `Cache-Control: "no-cache, no-store, must-revalidate"`. It can be sent in middleware or next.config.js
2. this is not a security issue. it is the same as when the user takes the screenshot of the authenticated app, then log out. the user *can* read the authenticated content *for that session only*, but they cannot make any authenticated actions.
yes, the user can simply press the browser back button, but they cannot do anything other than sitting in that page and viewing the content. they cannot, say, submit a form in there, unless your code by itself has a security bug
HimalayanOP
Maybe for you, but for me it IS a security issue. My app will be used in schools and shared spaces where many people rotate on one computer. It's important to me to do it right. And currently, using Inertia this is impossible to do. Remix seems to be refreshing stuff on back button by default. But I will check your solution as well.
yes then the keyword to search for is "bfcache". just send a good cache-control header and browsers wont cache it
@joulev yes then the keyword to search for is "bfcache". just send a good cache-control header and browsers wont cache it
HimalayanOP
OK, thanks. will try.
@joulev yes then the keyword to search for is "bfcache". just send a good cache-control header and browsers wont cache it
HimalayanOP
To check what I mean go here: https://demo.inertiajs.com/
and do some stuff as john doe after login
go back and forth and then log out.
and click on back button in the browser. you will go back even if you are logged out. That's super dangerous on shared computers in schools and public places.
Brown bear
Use NextAuth.js
Then, you can solve this problem @Himalayan
Then, you can solve this problem @Himalayan
@!=tgt Just did
HimalayanOP
when you log out and then press the back button does it show what you saw as logged in user?
@Brown bear Use NextAuth.js
Then, you can solve this problem <@1184447325335199871>
HimalayanOP
Yeah, it seems to be working OK with NextAuth.js. The back button doesn't show the content of the protected area like Inertia.js does. So that's nice to know.
By the way, what is the difference between NextAuth.js and Auth.js? Which one should I install in Next 14?
@!=tgt no
HimalayanOP
great