|
P: n/a
|
I've searched the web for hours trying to figure out this problem and
can't seem to find any pertinent answers. I have a website where the
user starts on a login page, puts in their credentials and hits a
submit button, which then takes the user to a 2nd PHP page which simply
runs PHP code that checks the user's credentials from my database, and
if authenticated creates a session, assigns a few session variables
(including a session variable showing that the user has been
authenticated) and then forwards them to a third page that pulls up an
inventory based on their membership in a group.
All subsequent pages (including this inventory page) check for the
"$_SESSION['auth']" variable to make sure the person has been
authenticated before they can access any other pages. This all works
fine. Here is the problem...
At the bottom of the third page which lists the inventory data I have a
"LogOut" button. When the user clicks the button they are taken back to
the original login page and their session killed. The problem is that
the user can hit the "Back" button on the browser and it STILL let's
them get BACK into the inventory page, even though the session has been
killed along with the "$_SESSION['auth']" variable. I don't want them
to be able to do this.
I know the code that protects each page after login is working because
if I close the browser and try to directly access the inventory page
(without logging in first) it won't let me in because I don't have the
"$_SESSION['auth']" set. So why does hitting the "Back" button allow me
to get into the page?
Below is the beginning code on the login page which kills the session
(if a session already exists). Hitting the "LogOut" button on the 3rd
page (inventory page) simply redirects the user back to the login page
which runs this code. I tried killing the session from the 3rd page
but didn't have any luck there either. By the way, if I put in a line
of code after the code below to test for the existance of a session it
says there is no active session...So why they can hit "Back" and still
access the inventory page DESPITE that no session variables exists is
beyond me...
<?php
session_start();
$_SESSION = array();
session_destroy();
?>
Any help is much appreciated! I'm using PHP 5 with IIS 6. Let me know
if any other code and/or information is needed. Thanks!
| |
Share this Question
|
P: n/a
|
They can hit the back button to get to that inventory page, but if you
try to do anything on that page after logging out, it won't let them.
If you really need to prevent them from being able to see that page by
hitting the back button, insert the following meta tag in the head
section:
<meta http-equiv="pragma" content="no-cache" />
But this will prevent the browser from caching the page, making the
page much slower to load, so you shouldn't use it unless you have to.
It also won't work in some browsers.
Or you could use Javascript to prevent them from hitting the back
button at all, but this is *really* annoying, and you can get around it
easily by disabling Javascript. Still, it is useful sometimes in
programs that I write only for my own use.
| |
|
P: n/a
|
They can hit the back button to get to that inventory page, but if you
try to do anything on that page after logging out, it won't let them.
If you really need to prevent them from being able to see that page by
hitting the back button, insert the following meta tag in the head
section:
<meta http-equiv="pragma" content="no-cache" />
But this will prevent the browser from caching the page, making the
page much slower to load, so you shouldn't use it unless you have to.
It also won't work in some browsers.
Or you could use Javascript to prevent them from hitting the back
button at all, but this is *really* annoying, and you can get around it
easily by disabling Javascript. Still, it is useful sometimes in
programs that I write only for my own use.
| |
|
P: n/a
|
DJ Craig wrote: They can hit the back button to get to that inventory page, but if
you try to do anything on that page after logging out, it won't let them.
If you really need to prevent them from being able to see that page
by hitting the back button, insert the following meta tag in the head
section:
<meta http-equiv="pragma" content="no-cache" />
But this will prevent the browser from caching the page, making the
page much slower to load, so you shouldn't use it unless you have to.
It also won't work in some browsers.
Or you could use Javascript to prevent them from hitting the back
button at all, but this is *really* annoying, and you can get around
it easily by disabling Javascript. Still, it is useful sometimes in
programs that I write only for my own use.
alternative to the caching: use something along the lines of
if(!$_SESSION['auth']) { die('not logged in'); }
at the top of each page. could be a redirect also.
micha | |
|
P: n/a
|
Thanks, adding the line "<meta http-equiv="pragma" content="no-cache"
/>" worked.
Micha, I already had the code below at the top of each page, but for
some reason it wouldn't do the redirect after hitting the "Back"
button. I'm still not sure why. Just because the page is being read
from the cache shouldn't mean it should ignore the PHP code at the
beginning of the page, which should have redirected the user to an
"error" page. I've seen numerous PHP driven web sites that have "log
off" buttons, and they don't allow the user go see their last page by
hitting "back" after they've logged off. I wonder if all of these sites
are using the "no cache" meta tag or some other mechanism? Thanks for
answering my posts guys.
<?php
session_start();
If (!$_SESSION['auth'] == 1)
{
header('location:Error.php');
}
?>
| |
|
P: n/a
|
Jeff (je********@hotmail.com) wrote:
: Thanks, adding the line "<meta http-equiv="pragma" content="no-cache"
: />" worked.
: Micha, I already had the code below at the top of each page, but for
: some reason it wouldn't do the redirect after hitting the "Back"
: button. I'm still not sure why. Just because the page is being read
: from the cache shouldn't mean it should ignore the PHP code at the
: beginning of the page,
But if the page is in the cache then your script is not being called to
display the page. The browser is displaying a previously saved copy of the
html generated by your php script.
: which should have redirected the user to an
: "error" page. I've seen numerous PHP driven web sites that have "log
: off" buttons, and they don't allow the user go see their last page by
: hitting "back" after they've logged off. I wonder if all of these sites
: are using the "no cache" meta tag or some other mechanism? Thanks for
: answering my posts guys.
It should be easy enough to examine their html to find out.
: <?php
: session_start();
: If (!$_SESSION['auth'] == 1)
: {
: header('location:Error.php');
: }
: ?>
--
This space not for rent.
| |
|
P: n/a
|
Thanks for the explanation. It makes sense now.
| | This discussion thread is closed Replies have been disabled for this discussion. | |  Question stats - viewed: 14179
- replies: 6
- date asked: Jul 17 '05
|
