Hello Everyone, i’m not sure if my problem needs javascript of php, but since i’m coding it in php i thought i should start there. how do you kill a session imediately after a user decides to go out of the secure area without logging off?
can this be done using php or java?
thanx.
I’m not sure it can be done in php :scratch: and you can be sure it’s not a javascript thing assuming the site is using sessions
to test it, I just left this forum and went to a pubic web page and after I clicked my back button it took straight back here as if I never left.
it’ll be interesting to find out.
but if a user closes their browser without logging off, then they won’t be able to go back to the secured page without logging on again.
When the user enters a page you could check if the referrer ($_SERVER[‘HTTP_REFERER’] – the one R there is not a typo!) is also in the secure area. If it’s not, force a log out.
It’s kinda instable as people can fake their referrer if they like, but should work quite ok for normal day-to-day use.
I don’t follow :confused2:
I just went to www.google.com from here, clicked by browser’s back button and I came straight back here as if I never left.
how can you check if I went to google, or any other public site, from here to force a logout when I go to google?
Here’s what I would do.
First, tell the page not to cache by setting the relevant headers: http://www.web-caching.com/mnot_tutorial/how.html
Then, when the user enters the secure section of your site, set a session cookie containing a random, long string (128-256 characters or so, vary the length) and create a corresponding row in a sessions table in your database. Have a boolean field in your table that says the page has not been viewed.
When you serve the page, look in your table to see if the user with the session cookie has viewed the page or not. If they haven’t, serve it and update the boolean. If they have send them a redirect. They won’t be able to see the cached version if they click back because of the headers you set.
You should be able to mung something together in pretty much any language, but I would always use Rails for something non-trivial like this.
Good luck with it!
I don’t suggest you force the logout when you go to google, but when you come back from google.
What SitePoint does is irrelevant, because SitePoint doesn’t have the requirement the OP has: log out the current user if they go back to the secured area from a non-secure page.
of course…the penny’s finally dropped :headbang:
thanks.
What i’m trying to say is this, i have a member page where registered members go to after login. now assume that a user click the back button to go back to the login page, when he clicks the forward button i don’t want him to go to the member page, i want he clicks the back button and then clicks the forward one, he must loggin again to access the member page. i don’t know if you still get me.
i’m not sure if this only works if the page is using https. Please let someone explain to me. last time i was writing the cisco online exam, i tried to click the back arrow, the exam was dissabled for me!
So how to you force the loggout when i come back from google!
I understand your requirement.
What I didn’t follow was ScallioXTX’s solution. He has since clarified it.
Actually, this is a better solution, I would do this.
can you just explain more on your idea?
ok, sorry!
Guys i have just tried this on my bank website, of course it’s using https.
i loged in then i go to different section of the site. when i click the back button it says “the page has expired” and the top menu of the site is still showin. so i just clicked one of the link and it takes me there. but when i try to keep clicking back back until i went to the login page. then i copied the url of when i was logged on and pasted it in a new window, it automaticaly kicked me out to the login page.
So it means this can be done, but i’m just not sure if it’s a function that comes with using ssl.
If your bank kicks you out if you copy paste a URL in a new window/tab they’re probably also use the HTTP_REFERER.
Have you looked at the $_SERVER[‘HTTP_REFERER’] to see what value it contains? Once you do I think my idea will become clear to you very soon 
Your bank is doing this with session cookies and a bit of logic to determine when the cookie should expire (i.e. kill the cookie every time the user enters the login page). As I understood it though, you wanted to logout every time the user visited a page not on your site.
This was why ScallioXTXs solution was good, you get logged out if you approach the site from a page not on your site so you only have one point to check.
I’m not sure if the referrer gets set when the user uses the back button though, you’d need to check this.
Hi!
My solution would be something along these lines:
That way if user leaves secure area, then the second cookie will ensure that you destroy session.
let me try and summarise what scallioXTX suggested
every time a user accesses one of their login pages, in addition to your normal login validation you also check what url the user has just come from via $_SERVER[‘HTTP_REFERER’]
if the value of $_SERVER[‘HTTP_REFERER’] is not on a list of your website’s valid url’s then that means the user has just come from a url not on your website and so you then log them out.
Hey that’s a nice trick! And a lot more stable than my HTTP_REFERER approach! :tup:
But if you go to a another page/website and then click the BACK button, is the REFERER even set? My quick test below suggests not. 
<?php
echo 'Referrer is ' . $_SERVER['HTTP_REFERER'] . '<br>';
?>
<a href="http://www.google.co.uk">Go to Google</a>
Edit: other posts above came in while I was testing.