Note:
I'm not trying to prevent back button! So I'm looking for solution, not a patch.
Shortly:
How to prevent going backwards to login and then refreshing the page (thus resending the username and password of last user on the same computer) resulting a successfull login without knowing/typing in the credentials.
Little longer:
To make this simplier, say you only have 3 scripts: login.php, auth.php and page.php. In login.php you have a form asking for username and password. They're send to the auth.php and if they match, it'll show you the page.php content. If you log off when on page.php, you'll be end up back on login.php.
Now here's the problem: If after log out you'll keep going back (in borowser history or back button) long enough, it'll take you back where the un/pw was about to be sent to auth.php (sending method in this form is post). Since it was trying to send a form data (in this case un/pw) it'll tell you "Warning: Page has expired". If you hit F5 and choose retry, it'll resend whatever un/pw combination was tried earlier (since it's still stored in the form/post data) and will ultimately pass to page.php without typing in the un/pw again.
I've been trying to puzzle the sequence what must happen in the script and when in order to avoid such easy exploit. I have a decent security arsenal including sessions, crypted passwords, injection preventing, etc, but I don't get it how even the sessions would solve this, since that's when you're getting new session_id along with matched un/pw. For me it sounds like un/pw already typed in on some website and all you'd need to do is just hit enter to login. Like keys left in the car...
I must have missed something big time here! Any thoughts, links, solutions,...?
