Power By 专否社区

prevent back button after logout page

Go To StackoverFlow.com

5

I Have php logout page. when user click in logout link See this page and redirect to index page. but when click in back button i see previouse page with user data. of course when i refresh page i dont see previouse page and data. i checked other code ( drupal ) after click logout and click back button i dont see previouse page and see login page. Where is my problem. how to fixed this ?

LOGOUT PAGE : 

if (isset($_GET['req']) && $_GET['req'] == 'logout') {
      session_start();
      session_destroy();
      header("Location: index.php");
   exit();
}

Thanks

2012-04-04 17:52
by BBKing
you can't do this with PHP, you need to do this with J - Michal 2012-04-04 17:53
The 'previous' page will still be in the browser's cache. If you want to prevent 'back' operations to a page that requires an active login, you'll have to make them uncachable - Marc B 2012-04-04 17:54
making them uncacheable will not prevent the browser to store them in history... im - Michal 2012-04-04 17:56
Do not do session manipulation on get requests, especially not login and logout requests. Use POST instead, I think drupal does it as well with post - hakre 2012-04-04 18:15

2

The code is right. Actually you don't need to prevent people clicking on the back button. If you really think this is important you could save a cookie or something else in logout.php and the main page checks with AJAX whether this cookie is set. And if it is you could reload the page with JS (and of course unset the cookie then). But a really safe way doesn't exist.

2012-04-04 17:57
by Dion

2

I think this is mostly client side issue and due to browser cache headers .

what is the fix ?

In my opinion you need to set cache headers for static content and non-static contents properly

Static contents (css/javascript/images ): read this

For php page itself: header("Cache-Control", "no-store, no-cache, must-revalidate");

should do the trick

2012-04-04 18:17
by sakhunzai

1

You are essentially asking how to purge the user's browser history and cache of a page they had access to, but no longer do. When you are logging a user out, you are removing their ability to re-load the page, and there is very little (if anything) you can do that can prevent the browser from showing them something they were at one time allowed to load (it's stale data). The important piece is that when they reload, they don't get new data - you can't wipe the cache for what they already loaded.

Edit: Also wanted to add something after reading others comments: you can tell the browser to not cache any of the data, which would require them to reload EVERYTHING, even when they press the back button, but you'd also be requiring them to reload everything even when they are authenticated - which is the tradeoff you'd have to put up with. It obviously depends on the particular situation your site has - but in most cases I don't think that would be a worthwhile tradeoff. Your hosting would require more bandwidth because resources would be re-downloaded on every page load, page loads would be longer because browsers couldn't rely on their local cache, so your application would naturally seem slower to users. As long as it's not absolutely necessary that the data not be seen unless they're actively logged in, I would just find a polite and unobtrusive way to tell your users to log out and close the browser window in order to lessen the likelihood of prying eyes seeing data they shouldn't.

2012-04-04 18:14
by Mattygabe

0

Use are using $_GET but not validating anything form $_SESSION

Try this

session_start ();
if (isset ( $_GET ['req'] ) && $_GET ['req'] == 'logout') {
    $_SESSION ['auth'] = false ;
    session_destroy ();
}

if (! isset ( $_SESSION ['auth'] ) || $_SESSION ['auth'] == false) {
    header ( "Location: index.php" );
    exit ();
}

Make sure in your main pages you have something like this 

session_start ();

if(/** login Condition **/)
{
    $_SESSION ['auth'] = true ;
}

if (! isset ( $_SESSION ['auth'] ) || $_SESSION ['auth'] == false) {
    header ( "Location: index.php" );
    exit ();
}

Thanks

:)

2012-04-04 18:16
by Baba

0

Here is one easy and quick solution. To the login form tag add target="_blank" which displays content in a different window. Then after logout simply close that window and the back button problem (Safari browser) is solved. Even trying to use the history will not display the page and instead redirect to login page. This is fine for Safari browsers but for others such as Firefox the session_destroy(); takes care of it.

2013-07-03 15:38
by AntoBarn

0

<?
session_start();
if(!isset($_SESSION['username']) && !isset($_SESSION['password'])){
header("Location:../index.php");
exit;
}
else{
session_destroy();
}
?>

paste this on every page or where your logout is

<?php
session_start();
session_unset();
session_destroy();
header("Location:../index.php");
exit;

user_logout.php

2014-08-28 06:47
by Blocked User

-3

add this to your code it will prevent user to click back button.

     ignore_user_abort(true);
2012-04-04 18:09
by hamp13
no, it will not... ignore_user_abort() sets whether a client disconnect should cause a script to be aborted - Michal 2012-04-04 18:11
Ads