I've searched the web for hours trying to figure out this problem and
can't seem to find any pertinent answers. I have a website where the
user starts on a login page, puts in their credentials and hits a
submit button, which then takes the user to a 2nd PHP page which simply
runs PHP code that checks the user's credentials from my database, and
if authenticated creates a session, assigns a few session variables
(including a session variable showing that the user has been
authenticated) and then forwards them to a third page that pulls up an
inventory based on their membership in a group.
All subsequent pages (including this inventory page) check for the
"$_SESSION['auth']" variable to make sure the person has been
authenticated before they can access any other pages. This all works
fine. Here is the problem...
At the bottom of the third page which lists the inventory data I have a
"LogOut" button. When the user clicks the button they are taken back to
the original login page and their session killed. The problem is that
the user can hit the "Back" button on the browser and it STILL let's
them get BACK into the inventory page, even though the session has been
killed along with the "$_SESSION['auth']" variable. I don't want them
to be able to do this.
I know the code that protects each page after login is working because
if I close the browser and try to directly access the inventory page
(without logging in first) it won't let me in because I don't have the
"$_SESSION['auth']" set. So why does hitting the "Back" button allow me
to get into the page?
Below is the beginning code on the login page which kills the session
(if a session already exists). Hitting the "LogOut" button on the 3rd
page (inventory page) simply redirects the user back to the login page
which runs this code. I tried killing the session from the 3rd page
but didn't have any luck there either. By the way, if I put in a line
of code after the code below to test for the existance of a session it
says there is no active session...So why they can hit "Back" and still
access the inventory page DESPITE that no session variables exists is
beyond me...
<?php
session_start();
$_SESSION = array();
session_destroy();
?>
Any help is much appreciated! I'm using PHP 5 with IIS 6. Let me know
if any other code and/or information is needed. Thanks!