Logging out from PHP apps

**Lashman** · Apr 20, 2006 12:55

I recently wrote an app.. that requires a user to log in and logout...
But the problem is that after logging out.. and session variables have been unset and the session destroyed , on clicking the back button on the browser the user can still gain access to the page before the logout page..

Please, how do I solve this security problem

**Pedro Monteiro** · Apr 20, 2006 14:18

That's odd. Are you absolutely certain all the variables are being unset?

**Dan Grossman** · Apr 20, 2006 14:40

They're viewing the page from cache. You can send headers telling the browser not to cache the pages, but you really can't control it any more than you can stop them from saving the page before logging out.

**Lashman** · Apr 21, 2006 06:58

So what do u suggest I do.. to go round this problem.. cuz, security wise .....

**Dan Grossman** · Apr 21, 2006 07:04

Sending the cache control headers is the most you can do. You can't stop anyone from accessing content you've already sent to their browsers.

**EscapeYourMind** · Apr 21, 2006 07:08

If you have your protected area setup correctly so that each page validates the users info, it wont really matter if they use the back button, because as soon as they try to go to another page, or perform an action your code should have an error saying they do not have access anymore. Worrying about them "seeing" stuff again should not really be a concern as obviously they logged in and were able to see the info then, so they can just log in again and still see it.

**worldburns2death** · Apr 21, 2006 19:54

Originally Posted by Lashman

I recently wrote an app.. that requires a user to log in and logout...
But the problem is that after logging out.. and session variables have been unset and the session destroyed , on clicking the back button on the browser the user can still gain access to the page before the logout page..

Please, how do I solve this security problem

I wrote one a long time ago that corrected that problem. However I'm drawing a blank as to what I did. I'm pretty sure I had a meta tag like < meta http-equiv="Pragma" content="No-Cache" > in my head section.

But if I were to click "back" after I logged out, it would take me back to the login screen and display an error. If I can find that code, I'll pass it your way. Maybe it will help.

**Lashman** · Apr 28, 2006 10:23

Thanks worldburns2death , I'll try that out, it obviously is a cache problem....

**Immerse** · Apr 28, 2006 13:57

Try putting this in your page:

PHP Code:


header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

header("Cache-Control: no-store, no-cache, must-revalidate");

header("Cache-Control: post-check=0, pre-check=0", false);

header("Pragma: no-cache");

That should stop any of the pages being cached.

User Tag List

Thread: Logging out from PHP apps

Thread Tools

Display

Logging out from PHP apps

Bookmarks

Bookmarks

Posting Permissions