Browser back button after signing out lets you get inside private route
After signing out and redirecting to a public route, if the browser's "back" button is clicked, it allows you to access the previous protected route (i.e. a page that should be only available if there is a session). It seems the session is not checked.
10 Replies
Maybe a caching issue? I had the same problem because the page was in the cache and no new request was made. Changing the way I handled the redirect solved it.
Ah yes good point, indeed a caching issue. I'm on nextjs and trying to clear the cache after signing out. But revalidatePath("/", "layout") inside an after hook doesn't seem to do the trick.
I want to avoid redirecting and then clearing cache:
router.push(HOME_HREF)
router.refresh()
Try redirect instead of router
import { redirect } from 'next/navigation';
redirect('/');
The page is cached in browser i guess, not on the server/route.
Finally decided to router.refresh to ensure client cache is cleared. It's a shame we can't router.push and clear cache in a single stroke. Got confused by this example https://www.better-auth.com/docs/basic-usage#signout since it suggests router.push
Basic Usage | Better Auth
Getting started with Better Auth
Thanks for the suggestions though, much appreciated!
It’s because router is client side navigation. The redirect() returns a http 3xx response, forcing the browser to perform a full request to the new url. This ensures, that when you tap back in de browser, the previews page is requested again. Router.refresh() forces a reload, but still operates within the client-side navigation. So i still guess redirect is the way to go.
Someone pressure Next.js to give us router.clearCache function
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
It is his own server action
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View