Right, but he is talking about cached versions of legitimately visited
pages hanging around in the browser cache after logout. This means the
requests are not even hitting rails so sessions make no difference.
Setting Cache-Control: no-cache, as was said before, is the best thing
you can do along with recommending the user close the browser after
logout. However, neither of these is a guarantee.
Shandy Nantz wrote: