Logout security question

I’m a little confused about the security of the login process. Currently after using Google to authenticate the user I get passed a URL with a query string. I use the userId and userToken from the query string to “finish” the login with setCurrentUser, etc. But if I execute the logout() function and redirect to a sign in page all I have to do is click the back button of the browser and the query string variables log me right back in again. Is there a better way to do this or should I be running something else to invalidate the token for the BE application?

I guess for now I could wipe the url from the history, but I don’t know if that is the correct approach…feels like there should be a different solution?

Could you please provide a detailed step by step description with code snippets so we’re able to reproduce this issue?

Yes when I log into the app with Google as the service I get a url with id and token included which looks like this:


from this url I pull the userToken and userId to run:

Backendless.UserService.setCurrentUser({'user-token':userToken, objectId: userId}, 'true');

Backendless.UserService.getCurrentUser(true) //force load full user object from server
          .then(user => {
            console.log("Logged in User: " , user);
            //window.history.replaceState({}, document.title, window.location.pathname);
          .catch(error => {

With the window.history line commented out you could log out with:

   .then( () => { 
      location.href = 'pages/authentication/simple/sign-up.html'
      console.log( 'Logged Off' ); 
   .catch( error => { console.error( error ); } );

Then press the back button in the browser which contains the token and userId and it logs you right back in again. Erasing the url in the history seems weird…but is that the best practice to prevent this? Seems like the logout via Backendless would render the token unusable or something…

Hello @David_Thompson,

I’ve tried to reproduce your issue, but without success. Indeed, when the query parameters contain ‘user-token’ and ‘userId’, the application should attempt to log in the user using this data. However, if the user logged out before this, attempting to log in with the old ‘user-token’ would correctly result in an error stating that the token is no longer valid.

In your case, it seems that the old token remains valid, which is unexpected. Could you please create a simple page with reproducible code and share it with us? This would greatly help in diagnosing and resolving the issue. Thank you.