Right, but he is talking about cached versions of legitimately visited pages hanging around in the browser cache after logout. This means the requests are not even hitting rails so sessions make no difference. Setting Cache-Control: no-cache, as was said before, is the best thing you can do along with recommending the user close the browser after logout. However, neither of these is a guarantee.
-Bill
Shandy Nantz wrote: