From 15991677d49c7f1c4fb04a2c9696e44cc8a70f67 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 9 Nov 2018 11:14:35 +1100
Subject: [PATCH] FIX: ensure we never cache login redirects by mistake

---
 app/controllers/application_controller.rb    | 2 ++
 spec/requests/application_controller_spec.rb | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f46860ff0f5..9cec48c193a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -692,7 +692,9 @@ class ApplicationController < ActionController::Base
     return if current_user || (request.format.json? && is_api?)
 
     if SiteSetting.login_required?
+
       flash.keep
+      dont_cache_page
 
       if SiteSetting.enable_sso?
         # save original URL in a session so we can redirect after login
diff --git a/spec/requests/application_controller_spec.rb b/spec/requests/application_controller_spec.rb
index 409bae594d2..64093e48518 100644
--- a/spec/requests/application_controller_spec.rb
+++ b/spec/requests/application_controller_spec.rb
@@ -13,6 +13,11 @@ RSpec.describe ApplicationController do
       get "/?authComplete=true"
       expect(response).to redirect_to('/login?authComplete=true')
     end
+
+    it "should never cache a login redirect" do
+      get "/"
+      expect(response.headers["Cache-Control"]).to eq("no-cache, no-store")
+    end
   end
 
   describe 'invalid request params' do