SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    Nigeria
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation Logging out from PHP apps

    I recently wrote an app.. that requires a user to log in and logout...
    But the problem is that after logging out.. and session variables have been unset and the session destroyed , on clicking the back button on the browser the user can still gain access to the page before the logout page..

    Please, how do I solve this security problem

  2. #2
    SitePoint Wizard Pedro Monteiro's Avatar
    Join Date
    Sep 2002
    Location
    Lisbon
    Posts
    1,393
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's odd. Are you absolutely certain all the variables are being unset?

  3. #3
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    They're viewing the page from cache. You can send headers telling the browser not to cache the pages, but you really can't control it any more than you can stop them from saving the page before logging out.

  4. #4
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    Nigeria
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So what do u suggest I do.. to go round this problem.. cuz, security wise .....

  5. #5
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Sending the cache control headers is the most you can do. You can't stop anyone from accessing content you've already sent to their browsers.

  6. #6
    SitePoint Zealot
    Join Date
    Jul 2005
    Posts
    163
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have your protected area setup correctly so that each page validates the users info, it wont really matter if they use the back button, because as soon as they try to go to another page, or perform an action your code should have an error saying they do not have access anymore. Worrying about them "seeing" stuff again should not really be a concern as obviously they logged in and were able to see the info then, so they can just log in again and still see it.

  7. #7
    SitePoint Enthusiast
    Join Date
    Nov 2004
    Location
    USA
    Posts
    26
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lashman
    I recently wrote an app.. that requires a user to log in and logout...
    But the problem is that after logging out.. and session variables have been unset and the session destroyed , on clicking the back button on the browser the user can still gain access to the page before the logout page..

    Please, how do I solve this security problem
    I wrote one a long time ago that corrected that problem. However I'm drawing a blank as to what I did. I'm pretty sure I had a meta tag like < meta http-equiv="Pragma" content="No-Cache" > in my head section.

    But if I were to click "back" after I logged out, it would take me back to the login screen and display an error. If I can find that code, I'll pass it your way. Maybe it will help.

  8. #8
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    Nigeria
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks worldburns2death , I'll try that out, it obviously is a cache problem....

  9. #9
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Try putting this in your page:

    PHP Code:
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    header("Last-Modified: " gmdate("D, d M Y H:i:s") . " GMT");
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Cache-Control: post-check=0, pre-check=0"false);
    header("Pragma: no-cache"); 
    That should stop any of the pages being cached.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •