diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index f46860ff0f5..9cec48c193a 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -692,7 +692,9 @@ class ApplicationController < ActionController::Base return if current_user || (request.format.json? && is_api?) if SiteSetting.login_required? + flash.keep + dont_cache_page if SiteSetting.enable_sso? # save original URL in a session so we can redirect after login diff --git a/spec/requests/application_controller_spec.rb b/spec/requests/application_controller_spec.rb index 409bae594d2..64093e48518 100644 --- a/spec/requests/application_controller_spec.rb +++ b/spec/requests/application_controller_spec.rb @@ -13,6 +13,11 @@ RSpec.describe ApplicationController do get "/?authComplete=true" expect(response).to redirect_to('/login?authComplete=true') end + + it "should never cache a login redirect" do + get "/" + expect(response.headers["Cache-Control"]).to eq("no-cache, no-store") + end end describe 'invalid request params' do