PHP Session variables not destroyed with Internet Explorer IE (or cache problems)


I have a web form on PAGE A that gets sent to PAGE B for processing. PAGE B validates the data, inserts it into a MYSQL database. The record ID that is generated from the INSERT is placed into a SESSION variable.  PAGE B has a button on it. When user clicks button, it goes to PAGE C, which uses the class FPDF to generate a nice PDF Form that the user prints out. PAGE C uses the SESSION variable created on PAGE B to find the correct record.
PAGE A does all of the SESSION DESTROY/COOKIE DESTROY stuff to erase all personal data in case someone goes from PAGE C to PAGE A without closing the browser window. When I print out the session data on this page, it is blank, so I feel confident that this is happening correctly.

In FireFox, the system works fine... But in I.E. The SESSION Variable of the first person to fill out the form since the browser window has been open will persist. Or, if it doesn't persist, IE is somehow caching the old PAGE 3 and reprinting the previous record.

This is not good for privacy purposes.

Is there anything I can do to force IE to purge its cache?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you tried the header value:

header("Cache-Control: no-cache, must-revalidate");

You could also try specifying the "Expires" header value to a date in the past.

This should prevent the browsers from caching the page.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
aberns: Have you tested this system with more than one copy of the browser running?  In practice this is a rare occurrence, but in testing you can have something goofy happen.  Here is why.

The session handler sets a cookie on the browser.  If you have any instance of that browser open, the cookie persists and all instances of the browser are able to resend the cookie.  Symptoms seem like, "I just logged off, and yet it still has me logged in, etc."

There is no practical fix for this - it is just the way sessions and cookies interact with the browser.  But as I said, in practice this is very rare.

HTH, ~Ray
abernsAuthor Commented:
Hi Guys,

Thanks for your responses. I have been pulled off onto another project, but I will revisit this issue tomorrow and try the things you've suggested, both in terms of the no-cache statements, and the multiple browsers opened at once.

For now, I am sending POST variables instead of SESSION, which has solved the problem.

But I wonder in general, when collecting variables for Ecommerce or some other personal data, what is the gold standard in terms of collecting and passing variables? Encryption is of course assumed. Thanks.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Ray PaseurCommented:
SSL is all you need when you collect the data. Depending on the risk of exposure, you might want to encrypt the data whenever it is stored in a data base or transmitted over the internet.  If you want help on this, please post a question about "Sending encrypted data" and I'll be glad to show you my teaching samples on the topic.

One noteworthy matter... It is notoriously hard to debug data-dependent errors when the data is encrypted, so plan your appdev budget accordingly!!

Best, ~Ray
abernsAuthor Commented:
Thanks to both of you for the reply. I am just going to stick with POST and SSL.

abernsAuthor Commented:

Thanks. Look for the question "Sending encrypted data" shortly.

I am also going to be posting a follow up question to an excellent solution you provided on June 11 2009, entitled "modify javascript to dynamically generate form fields as array rather than appending numbers" in the javascript section, if you are interested.

Thanks again for sharing your expertise!
Ray PaseurCommented:
10-4, and thanks for the points, ~Ray
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.