A missing response header in the backend application causes the browser to display cached content from an Okta Access Gateway (OAG) application after session expiration instead of triggering the Identity Provider (IdP) authentication flow. Adding the appropriate cache-control header to the backend application or the OAG root policy resolves this issue. The browser fails to trigger the authentication flow and displays cached content when the user accesses the application after session expiration. This behavior occurs when the user clicks the back button after logging out or opens a new browser window with Browser Session Expiration enabled. The issue typically surfaces when routing traffic through a load balancer rather than connecting directly, and it may only affect specific browsers.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Okta Access Gateway (OAG)

The backend application lacks the proper response header required to prevent browsers from caching information.

How is the cached content issue resolved?

Configure the backend application to send the correct response header to prevent browser caching. 

Implement the following header in the backend application to ensure the browser does not cache information.

cache-control: no-cache, no-store, must-revalidate

Okta Access Gateway provides a workaround to add the cache-control header.

If modifying the backend application is not possible, apply a workaround in Okta Access Gateway by adding the cache-control header directly to the root policy.

Apply the following syntax to add the cache-control header to the root policy.

add_header cache-control "no-cache, no-store, must-revalidate" ;

Related References

• Develop an advanced Access Gateway policy