There are two cases I'm concerned about here when a user logs out, then clicks the back button:
1. the user presses the "back" button and goes back to a page that would otherwise require authentication
Right now, the existing page is still kept in cache, so private data is still being seen. I'm guessing I'll be using Rails' new ETag support here, and I was just looking to see how everybody else has been handling this since before 2.2; this is less of a concern than #2, which is...
2. the user presses the "back" button and goes to a public page
The data in this case is not sensitive, but because Rails forms use authenticity tokens that are tied to the session, the session becomes invalidated after logging out. If the user presses the back button and then clicks "log out" again, an InvalidAuthenticityToken error is thrown; I'd really rather not show a 500 error page if this happens. Any ideas how to avoid it? (Is it a bug in rails if there's no way to avoid this?)
So the burning question on my mind here is, how do I avoid throwing an InvalidAuthenticityToken error, should a user log out, click 'back', then click on 'log out' again? (This question is posed by a client, so I can't just ignore this edge case.)
