• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 691
  • Last Modified:

Avoid user re-enter system after logout by pressing back

i developing php based site. I use the code below to avoid user pressing back after logout:

header( "Last-Modified: " . gmdate( "D, j M Y H:i:s" ) . " GMT" );
header( "Expires: " . gmdate( "D, j M Y H:i:s", time() ) . " GMT" );
header( "Cache-Control: no-store, no-cache, must-revalidate" ); // HTTP/1.1
header( "Cache-Control: post-check=0, pre-check=0", FALSE );
header( "Pragma: no-cache" ); // HTTP/1.0

But, however this make my all forms  reset when user press back. I want to do something like gmail style => if an user logged out i want to redirect him to a page, than from that page I want redirect to logout successful message page. So, user cannot press back button and return inside member area.
0
radzeen
Asked:
radzeen
  • 6
  • 6
2 Solutions
 
Ivo StoykovCommented:
hi radzeen

better create a session stamp for the user on logon and destroy it on log off.
This way even pressing the back button user won't be able to enter.

This means that you must have a check on each and every page you send to the user.
If there is no required data -> log on

HTH

I
0
 
radzeenAuthor Commented:
Hi ivostoykov,

currently i use cookies, i check on each member area file. if there is no cookies, then redirect them to login page. It is working. But the problem is when some logout they can still hit the back button and view the user area section. They will on redirected if they refresh the page.

By the way, what do you mean by session stamp. Can you explain further?

Thanks
0
 
Ivo StoykovCommented:
hi radzeen

cookies are not so reliable because of many reasons. Nevertheless session *is* using cookies - it is better IMHO.

If you set cookies user might close window without logout of might type URL and navigate outside your server, etc.

Sessions might be ruled by your server and all mentioned above will be handled correctly.

Session stamp I mean any appropriate session data related to logged user. It might be anything suitable to your purposes, for instanse a userID hash will do perfect job.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
radzeenAuthor Commented:
Hi ivostoykov,

Session might be better than cookies. But the problem is even I use session (actually I use session for the admin site), I still can hit the back button and get in the restricted area even I logged out and destroyed session. Browser always caches all pages, session deletion only detected when the user refresh the page. How do I avoid user re-enter system after logout by pressing back?

Thanks in advance
0
 
Ivo StoykovCommented:
hi radzeen
Yes this is true and this is why youyou must have a check on each and every page you send to the user.
When user close window or navigate outside your server session is usually destroied and pressing back button will return to the page but without session data. Here comes your check and following redirection.
If session is still valid you have to check your settings.
I
0
 
radzeenAuthor Commented:
I use this code to validate session in each page:

Please provide your code. It is only working if I refresh the browser.
session_start ();
 
if ($_SESSION['SS_usno']==""){
 
//redirect to the login page
header("Location: login.php?flag=lg");
 
}

Open in new window

0
 
Ivo StoykovCommented:
you must have session_unset() when user logoff so as next time session is empty.
Additionally you have to catch leaving event on client side and destroy the session
This two are mandatory. otherwise back button will enter always until there is valid session.
Even if you prefer cookies the same mechanism must be used to destroy cookie, i.e. when user close or leave.
I cannot pase a code for there are too many dependancies and this is not a matter of few lines but few files.
Hope you've catch the idea
I
0
 
radzeenAuthor Commented:
I am quite confuse at step 2, "Additionally you have to catch leaving event on client side and destroy the session".

Actually, you get this done by using javascript or php?
0
 
Ivo StoykovCommented:
on client you have only javascript.
on server you could check whether referer is empty. If user comes from page on your server there will be the page it comes from. if not it comes from elsewhere and must logon
0
 
shadow_shooterCommented:
Simply, it happens because the webpage that the user was on is cached by browsers. I am not sure how to prevent that from happenning. Maybe you can try refreshing the corresponding page by header commands. I'm still not sure if it will work since the browser does not request the page from the server. There should be something to force the browser not to cache the page.

You can try these:

<meta http-equiv="cache-control" content="no-cache"> <!-- tells browser not to cache -->
<meta http-equiv="expires" content="0"> <!-- says that the cache expires 'now' -->
<meta http-equiv="pragma" content="no-cache"> <!-- says not to use cached stuff, if there is any -->

You should try each of them and you should include it between the head tags since they are meta values.

If they don't work then you can try the alternative version which is mentioned in one of the webpages that a solution given to another user who has the same problem:

"The onload event should be fired when the user hits the back button. Elements not created via JavaScript will retain their values. I suggest keeping a backup of the data used in dynamically created element within an INPUT TYPE="hidden" or TEXTAREA set to display:none then onload using the value of the textbox to rebuild the dynamic elements to the way they were. If you don't care about rebuilding the page and want to actually reload it, then you could do:        
Code:
<input type="hidden" id="refreshed" value="no">
<script type="text/javascript">onload=function()
{
var e=document.getElementById("refreshed");if(e.value=="no")
e.value="yes";
else
{
e.value="no";location.reload();
}
}</script> "

Let me know the results.
0
 
radzeenAuthor Commented:
Hi shadow_shooter,
I am working on something else right now. I will definitely try it by today.

Thanks
0
 
Ivo StoykovCommented:
Hi radzeen
The problem is not in the page and JavaScript.
It is in php SESSION. It is what sends cookies and allows return on page is cookies is not expired.
One approach could be:
  1. Create a hidden frame.
  2. Set short timeout (let say 30 secs)
  3. refresh hidden frame on a smaller interval (let say 25 secs)
This way session will expire very soon and chance user to return hitting back button is very small.
Let me know what's the result.
HTH
I
0
 
radzeenAuthor Commented:
thank you
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now