Avoid user re-enter system after logout by pressing back

i developing php based site. I use the code below to avoid user pressing back after logout:

header( "Last-Modified: " . gmdate( "D, j M Y H:i:s" ) . " GMT" );
header( "Expires: " . gmdate( "D, j M Y H:i:s", time() ) . " GMT" );
header( "Cache-Control: no-store, no-cache, must-revalidate" ); // HTTP/1.1
header( "Cache-Control: post-check=0, pre-check=0", FALSE );
header( "Pragma: no-cache" ); // HTTP/1.0

But, however this make my all forms  reset when user press back. I want to do something like gmail style => if an user logged out i want to redirect him to a page, than from that page I want redirect to logout successful message page. So, user cannot press back button and return inside member area.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ivo StoykovCommented:
hi radzeen

better create a session stamp for the user on logon and destroy it on log off.
This way even pressing the back button user won't be able to enter.

This means that you must have a check on each and every page you send to the user.
If there is no required data -> log on


radzeenAuthor Commented:
Hi ivostoykov,

currently i use cookies, i check on each member area file. if there is no cookies, then redirect them to login page. It is working. But the problem is when some logout they can still hit the back button and view the user area section. They will on redirected if they refresh the page.

By the way, what do you mean by session stamp. Can you explain further?

Ivo StoykovCommented:
hi radzeen

cookies are not so reliable because of many reasons. Nevertheless session *is* using cookies - it is better IMHO.

If you set cookies user might close window without logout of might type URL and navigate outside your server, etc.

Sessions might be ruled by your server and all mentioned above will be handled correctly.

Session stamp I mean any appropriate session data related to logged user. It might be anything suitable to your purposes, for instanse a userID hash will do perfect job.
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

radzeenAuthor Commented:
Hi ivostoykov,

Session might be better than cookies. But the problem is even I use session (actually I use session for the admin site), I still can hit the back button and get in the restricted area even I logged out and destroyed session. Browser always caches all pages, session deletion only detected when the user refresh the page. How do I avoid user re-enter system after logout by pressing back?

Thanks in advance
Ivo StoykovCommented:
hi radzeen
Yes this is true and this is why youyou must have a check on each and every page you send to the user.
When user close window or navigate outside your server session is usually destroied and pressing back button will return to the page but without session data. Here comes your check and following redirection.
If session is still valid you have to check your settings.
radzeenAuthor Commented:
I use this code to validate session in each page:

Please provide your code. It is only working if I refresh the browser.
session_start ();
if ($_SESSION['SS_usno']==""){
//redirect to the login page
header("Location: login.php?flag=lg");

Open in new window

Ivo StoykovCommented:
you must have session_unset() when user logoff so as next time session is empty.
Additionally you have to catch leaving event on client side and destroy the session
This two are mandatory. otherwise back button will enter always until there is valid session.
Even if you prefer cookies the same mechanism must be used to destroy cookie, i.e. when user close or leave.
I cannot pase a code for there are too many dependancies and this is not a matter of few lines but few files.
Hope you've catch the idea
radzeenAuthor Commented:
I am quite confuse at step 2, "Additionally you have to catch leaving event on client side and destroy the session".

Actually, you get this done by using javascript or php?
Ivo StoykovCommented:
on client you have only javascript.
on server you could check whether referer is empty. If user comes from page on your server there will be the page it comes from. if not it comes from elsewhere and must logon
Simply, it happens because the webpage that the user was on is cached by browsers. I am not sure how to prevent that from happenning. Maybe you can try refreshing the corresponding page by header commands. I'm still not sure if it will work since the browser does not request the page from the server. There should be something to force the browser not to cache the page.

You can try these:

<meta http-equiv="cache-control" content="no-cache"> <!-- tells browser not to cache -->
<meta http-equiv="expires" content="0"> <!-- says that the cache expires 'now' -->
<meta http-equiv="pragma" content="no-cache"> <!-- says not to use cached stuff, if there is any -->

You should try each of them and you should include it between the head tags since they are meta values.

If they don't work then you can try the alternative version which is mentioned in one of the webpages that a solution given to another user who has the same problem:

"The onload event should be fired when the user hits the back button. Elements not created via JavaScript will retain their values. I suggest keeping a backup of the data used in dynamically created element within an INPUT TYPE="hidden" or TEXTAREA set to display:none then onload using the value of the textbox to rebuild the dynamic elements to the way they were. If you don't care about rebuilding the page and want to actually reload it, then you could do:        
<input type="hidden" id="refreshed" value="no">
<script type="text/javascript">onload=function()
var e=document.getElementById("refreshed");if(e.value=="no")
}</script> "

Let me know the results.
radzeenAuthor Commented:
Hi shadow_shooter,
I am working on something else right now. I will definitely try it by today.

Ivo StoykovCommented:
Hi radzeen
The problem is not in the page and JavaScript.
It is in php SESSION. It is what sends cookies and allows return on page is cookies is not expired.
One approach could be:
  1. Create a hidden frame.
  2. Set short timeout (let say 30 secs)
  3. refresh hidden frame on a smaller interval (let say 25 secs)
This way session will expire very soon and chance user to return hitting back button is very small.
Let me know what's the result.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
radzeenAuthor Commented:
thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.