Thanks for doing the test siteguru 
If the referrer is unset then so much the better, just check for that, and don’t ship the page if the referrer is not your domain.
yep, referer is not being set either when I click my back button.
looks like aleksejs’ ssl solution would be the way to go for this scenario.
but what if the user is still on your website when they hit the back button and simply want to go to the previous page on your website.
wouldn’t they then be logged out because there was no referer?
Correct. Forget I ever said referrer and go for Aleksejs’ solution; it’s way better!
where do you want me to check for this? just give me an idea how to go about this. thanx
See above ^
That happens on my bank (coop) If you hit the back button it says “don’t hit the back button” and logs you out…
ok that i get, but in the example i gave you of the bank, i was on the same website i did not change site, as in the example of going to google and come back.
yep looks like it.
sounded good in theory but I realised after siteguru’s test that it’s not so reliable in practice
[I]yep, referer is not being set either when I click my back button.
looks like aleksejs’ ssl solution would be the way to go for this scenario.[/I]
I just read whole thread more throughly. I think my suggestion will not prevent the following scenario:
If I understand correctly, then the requirement is that I can not do this:
Log into MySite, copy URL, go to OtherSite, paste URL, once again get access to MySite.
In my opinion you can do that only if you implement some sort of AJAX heartbeat… While opened page constantly reports, that user is still active via AJAX. If user leaves this site, then server detects, that there is no response from user and invalidates any session that has skipped (say) 3 times the heartbeat interval (for instance, heartbeat could update last_active session variable). Depending on how your heartbeat functionality is implemented, you can make sure, that only user that has never left page has the correct heartbeat values.
oh dear, my head is starting to :weyes:
I thought that is exactly what the op wants to not happen.
I’m going to 
2 Kalon:
the requirement is that I can not do this:
(~;
Using multi negatives is such a fun, isn’t it? 
ok guys, i thought this was an easy thing to do, but from your replies i realise it’s a bit tricky! i will try all your sugestions and which one will work. i would appriciate if any of you can just try your theories as well just to make sure there are feasible.
I think this is a great thread, thanx for all the inputs!
Wow, lost and lost.
So the user can not cut and paste a URL and get access to the site. In that case the referrer is still a good way to go, as in this case the referrer would be blank. The back button would be broke, but that would be good, you don’t want people clicking back into your site if they sit down at your computer after you’ve left.
True, but javascript will give you no security. Turn off the script in the browser and you’ve turned off the security.
Except that the referrer is a HTTP header, in which case it can be spoofed. 
I think the reality is that multiple levels of checking/security are needed to cater for all (known) eventualities.
Hi,
I think you can do it by using javascript,
window.history.forward(1);
write it as a function and do a function call as <body onLoad=“function_name”>