I've searched the web for hours trying to figure out this problem and
can't seem to find any pertinent answers. I have a website where the
user starts on a login page, puts in their credentials and hits a
submit button, which then takes the user to a 2nd PHP page which simply
runs PHP code that checks the user's credentials from my database, and
if authenticated creates a session, assigns a few session variables
(including a session variable showing that the user has been
authenticated) and then forwards them to a third page that pulls up an
inventory based on their membership in a group.
All subsequent pages (including this inventory page) check for the
"$_SESSION['auth']" variable to make sure the person has been
authenticated before they can access any other pages. This all works
fine. Here is the problem...
At the bottom of the third page which lists the inventory data I have a
"LogOut" button. When the user clicks the button they are taken back to
the original login page and their session killed. The problem is that
the user can hit the "Back" button on the browser and it STILL let's
them get BACK into the inventory page, even though the session has been
killed along with the "$_SESSION['auth']" variable. I don't want them
to be able to do this.
I know the code that protects each page after login is working because
if I close the browser and try to directly access the inventory page
(without logging in first) it won't let me in because I don't have the
"$_SESSION['auth']" set. So why does hitting the "Back" button allow me
to get into the page?
Below is the beginning code on the login page which kills the session
(if a session already exists). Hitting the "LogOut" button on the 3rd
page (inventory page) simply redirects the user back to the login page
which runs this code. I tried killing the session from the 3rd page
but didn't have any luck there either. By the way, if I put in a line
of code after the code below to test for the existance of a session it
says there is no active session...So why they can hit "Back" and still
access the inventory page DESPITE that no session variables exists is
beyond me...
<?php
session_start();
$_SESSION = array();
session_destroy();
?>
Any help is much appreciated! I'm using PHP 5 with IIS 6. Let me know
if any other code and/or information is needed. Thanks!
6  14633 
They can hit the back button to get to that inventory page, but if you
try to do anything on that page after logging out, it won't let them.
If you really need to prevent them from being able to see that page by
hitting the back button, insert the following meta tag in the head
section:
<meta http-equiv="pragma" content="no-cache" />
But this will prevent the browser from caching the page, making the
page much slower to load, so you shouldn't use it unless you have to.
It also won't work in some browsers.
Or you could use Javascript to prevent them from hitting the back
button at all, but this is *really* annoying, and you can get around it
easily by disabling Javascript. Still, it is useful sometimes in
programs that I write only for my own use.
They can hit the back button to get to that inventory page, but if you
try to do anything on that page after logging out, it won't let them.
If you really need to prevent them from being able to see that page by
hitting the back button, insert the following meta tag in the head
section:
<meta http-equiv="pragma" content="no-cache" />
But this will prevent the browser from caching the page, making the
page much slower to load, so you shouldn't use it unless you have to.
It also won't work in some browsers.
Or you could use Javascript to prevent them from hitting the back
button at all, but this is *really* annoying, and you can get around it
easily by disabling Javascript. Still, it is useful sometimes in
programs that I write only for my own use.
DJ Craig wrote: They can hit the back button to get to that inventory page, but if
you try to do anything on that page after logging out, it won't let them.
If you really need to prevent them from being able to see that page
by hitting the back button, insert the following meta tag in the head
section:
<meta http-equiv="pragma" content="no-cache" />
But this will prevent the browser from caching the page, making the
page much slower to load, so you shouldn't use it unless you have to.
It also won't work in some browsers.
Or you could use Javascript to prevent them from hitting the back
button at all, but this is *really* annoying, and you can get around
it easily by disabling Javascript. Still, it is useful sometimes in
programs that I write only for my own use.
alternative to the caching: use something along the lines of
if(!$_SESSION['auth']) { die('not logged in'); }
at the top of each page. could be a redirect also.
micha
Thanks, adding the line "<meta http-equiv="pragma" content="no-cache"
/>" worked.
Micha, I already had the code below at the top of each page, but for
some reason it wouldn't do the redirect after hitting the "Back"
button. I'm still not sure why. Just because the page is being read
from the cache shouldn't mean it should ignore the PHP code at the
beginning of the page, which should have redirected the user to an
"error" page. I've seen numerous PHP driven web sites that have "log
off" buttons, and they don't allow the user go see their last page by
hitting "back" after they've logged off. I wonder if all of these sites
are using the "no cache" meta tag or some other mechanism? Thanks for
answering my posts guys.
<?php
session_start();
If (!$_SESSION['auth'] == 1)
{
header('location:Error.php');
}
?>
Jeff (je********@hotmail.com) wrote:
: Thanks, adding the line "<meta http-equiv="pragma" content="no-cache"
: />" worked.
: Micha, I already had the code below at the top of each page, but for
: some reason it wouldn't do the redirect after hitting the "Back"
: button. I'm still not sure why. Just because the page is being read
: from the cache shouldn't mean it should ignore the PHP code at the
: beginning of the page,
But if the page is in the cache then your script is not being called to
display the page. The browser is displaying a previously saved copy of the
html generated by your php script.
: which should have redirected the user to an
: "error" page. I've seen numerous PHP driven web sites that have "log
: off" buttons, and they don't allow the user go see their last page by
: hitting "back" after they've logged off. I wonder if all of these sites
: are using the "no cache" meta tag or some other mechanism? Thanks for
: answering my posts guys.
It should be easy enough to examine their html to find out.
: <?php
: session_start();
: If (!$_SESSION['auth'] == 1)
: {
: header('location:Error.php');
: }
: ?>
--
This space not for rent.
Thanks for the explanation. It makes sense now.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Krista |
last post by:
Hi, this is my problem. I have two php files such as a.php, b.php
a.php :
<?php
require("b.php");
if($_GET == "")
{
MainFrame();
}
else if ($_GET == "Receiving")
|
by: Joki |
last post by:
Hi,
All
Can i capture print button click event on crystalreportview control?
Thanx
Joki
|
by: Melinda Mienie via DotNetMonster.com |
last post by:
Hi
I am quite new to .NET and ran into this problem (or which I think is a problem). I have a logout button. As soon as a person clicks on this logout button and the page contains forms, it does...
|
by: DataGrid Newbee |
last post by:
what I want to do is have a "Add Row" button as the first column "header", this column is the action (edit, cancel, update) for the rows, I want to allow the users to enter a new directly into the...
|
by: vincent90152900 |
last post by:
Can I insert a button inside a word document and execute some codes after a user click the button?
How to do it?
This discussion is open to suggestions.
Many thanks for replying.
|
by: ajaxthegreat |
last post by:
how can i upd8 a button backcolor thru parallel port input in real time depending on the bit? My project is passenger counting system, each seat of the bus has a sensor(LDR) on it, How can I upd8 in...
|
by: shimajavar |
last post by:
Hi all
I have the following code: a line is growing up by clicking on "up" button, it has another button"start" which I want it to stop the process of growing the line...How can I make a button to...
|
by: Anuhas |
last post by:
Dear experts,
I have used buttons to indicate certain locations on a map.(Just a picture used as form background)
I am going to draw lines...
|
by: Fary4u |
last post by:
how can i change radio button into image but functionality should be like radio button ?
.pic
{ background:url(pic.jpg) no-repeat; }
<input type=radio src=pic.jpg value=1 name=1>
or
<input...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
