How can I prevent the browser's back button from accessing restricted information, after the user has logged out?
Since the browser pulls that page from cache, it doesn't matter what you do on that page, unless you add a JS check to see if the user is still authenticated... but that doesn't solve the problem of the page being in cache.
Reframing the problem as a cache one, I found this answer: https://stackoverflow.com/a/24591864/217374
It's been over a year since you asked, so I don't expect you specifically to need the answer any more, but there it is for anyone else who comes by.
When the user navigates back in the browser, the data is shown from the local browser cache, and not requested from your server. What you can do, is to add some javascript to your logout event. That piece of js can remove sensitive pages from the browser history.You can work with window.history to manipulate the browser history.Have a look in this guide for manipulating the browser history and the window.history api .
Not sure if this is bulletproof.
Add these lines in your html (or view files)
meta(http-equiv='Cache-Control', content='no-store, no-cache, must-revalidate')meta(http-equiv='Pragma', content='no-cache')meta(http-equiv='Expires', content='-1')