radzeen
asked on
Avoid user re-enter system after logout by pressing back
i developing php based site. I use the code below to avoid user pressing back after logout:
header( "Last-Modified: " . gmdate( "D, j M Y H:i:s" ) . " GMT" );
header( "Expires: " . gmdate( "D, j M Y H:i:s", time() ) . " GMT" );
header( "Cache-Control: no-store, no-cache, must-revalidate" ); // HTTP/1.1
header( "Cache-Control: post-check=0, pre-check=0", FALSE );
header( "Pragma: no-cache" ); // HTTP/1.0
But, however this make my all forms reset when user press back. I want to do something like gmail style => if an user logged out i want to redirect him to a page, than from that page I want redirect to logout successful message page. So, user cannot press back button and return inside member area.
header( "Last-Modified: " . gmdate( "D, j M Y H:i:s" ) . " GMT" );
header( "Expires: " . gmdate( "D, j M Y H:i:s", time() ) . " GMT" );
header( "Cache-Control: no-store, no-cache, must-revalidate" ); // HTTP/1.1
header( "Cache-Control: post-check=0, pre-check=0", FALSE );
header( "Pragma: no-cache" ); // HTTP/1.0
But, however this make my all forms reset when user press back. I want to do something like gmail style => if an user logged out i want to redirect him to a page, than from that page I want redirect to logout successful message page. So, user cannot press back button and return inside member area.
ASKER
Hi ivostoykov,
currently i use cookies, i check on each member area file. if there is no cookies, then redirect them to login page. It is working. But the problem is when some logout they can still hit the back button and view the user area section. They will on redirected if they refresh the page.
By the way, what do you mean by session stamp. Can you explain further?
Thanks
currently i use cookies, i check on each member area file. if there is no cookies, then redirect them to login page. It is working. But the problem is when some logout they can still hit the back button and view the user area section. They will on redirected if they refresh the page.
By the way, what do you mean by session stamp. Can you explain further?
Thanks
hi radzeen
cookies are not so reliable because of many reasons. Nevertheless session *is* using cookies - it is better IMHO.
If you set cookies user might close window without logout of might type URL and navigate outside your server, etc.
Sessions might be ruled by your server and all mentioned above will be handled correctly.
Session stamp I mean any appropriate session data related to logged user. It might be anything suitable to your purposes, for instanse a userID hash will do perfect job.
cookies are not so reliable because of many reasons. Nevertheless session *is* using cookies - it is better IMHO.
If you set cookies user might close window without logout of might type URL and navigate outside your server, etc.
Sessions might be ruled by your server and all mentioned above will be handled correctly.
Session stamp I mean any appropriate session data related to logged user. It might be anything suitable to your purposes, for instanse a userID hash will do perfect job.
ASKER
Hi ivostoykov,
Session might be better than cookies. But the problem is even I use session (actually I use session for the admin site), I still can hit the back button and get in the restricted area even I logged out and destroyed session. Browser always caches all pages, session deletion only detected when the user refresh the page. How do I avoid user re-enter system after logout by pressing back?
Thanks in advance
Session might be better than cookies. But the problem is even I use session (actually I use session for the admin site), I still can hit the back button and get in the restricted area even I logged out and destroyed session. Browser always caches all pages, session deletion only detected when the user refresh the page. How do I avoid user re-enter system after logout by pressing back?
Thanks in advance
hi radzeen
Yes this is true and this is why youyou must have a check on each and every page you send to the user.
When user close window or navigate outside your server session is usually destroied and pressing back button will return to the page but without session data. Here comes your check and following redirection.
If session is still valid you have to check your settings.
I
Yes this is true and this is why youyou must have a check on each and every page you send to the user.
When user close window or navigate outside your server session is usually destroied and pressing back button will return to the page but without session data. Here comes your check and following redirection.
If session is still valid you have to check your settings.
I
ASKER
I use this code to validate session in each page:
Please provide your code. It is only working if I refresh the browser.
Please provide your code. It is only working if I refresh the browser.
session_start ();
if ($_SESSION['SS_usno']==""){
//redirect to the login page
header("Location: login.php?flag=lg");
}
you must have session_unset() when user logoff so as next time session is empty.
Additionally you have to catch leaving event on client side and destroy the session
This two are mandatory. otherwise back button will enter always until there is valid session.
Even if you prefer cookies the same mechanism must be used to destroy cookie, i.e. when user close or leave.
I cannot pase a code for there are too many dependancies and this is not a matter of few lines but few files.
Hope you've catch the idea
I
Additionally you have to catch leaving event on client side and destroy the session
This two are mandatory. otherwise back button will enter always until there is valid session.
Even if you prefer cookies the same mechanism must be used to destroy cookie, i.e. when user close or leave.
I cannot pase a code for there are too many dependancies and this is not a matter of few lines but few files.
Hope you've catch the idea
I
ASKER
I am quite confuse at step 2, "Additionally you have to catch leaving event on client side and destroy the session".
Actually, you get this done by using javascript or php?
Actually, you get this done by using javascript or php?
on client you have only javascript.
on server you could check whether referer is empty. If user comes from page on your server there will be the page it comes from. if not it comes from elsewhere and must logon
on server you could check whether referer is empty. If user comes from page on your server there will be the page it comes from. if not it comes from elsewhere and must logon
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi shadow_shooter,
I am working on something else right now. I will definitely try it by today.
Thanks
I am working on something else right now. I will definitely try it by today.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you
better create a session stamp for the user on logon and destroy it on log off.
This way even pressing the back button user won't be able to enter.
This means that you must have a check on each and every page you send to the user.
If there is no required data -> log on
HTH
I