This is hardly a flaw in Rails - if the user's login session isn't ended before handing physical access to another person, that's not really the software's problem.
Hm, I thought it was going to be talking about leaking information from your app, not browser cache.<p>Putting the database row ID in urls, which is the Rails default, basically lets a competitor plot your growth with a simple script.