How can I disable the back browser button after user press logout and destroy session?

9
votes

I am having trouble with session_destroy().

When the User press Log out it have to destroy the session. I wrote the following code:

Logout.php

<?php
    session_start();
    session_destroy();
    header("location: LoginViewController.php");
?>

After pressing log out, when I press the browser back button it is showing my previous Logined user page and session username in Login.php page

Login.php

<?php
    session_start();
    $_SESSION['user']=  $_GET['username'];
    echo '"<div style="background:white; text-align:right"> Login as:'.$_SESSION['user'].'</div>"';
    echo '<a href="Logout.php" style="text-align:right">Logout</a>';

LoginViewController.php

<?php
    header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
    header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");

    $Username = $_POST['uname'];
    $Password = $_POST['pwd'];
    $User_Type=$_POST['type'];

    If (!(empty($Username) && empty($Password) && empty($User_Type))){
        $model = new UsersModel();
        $rowsCount = $model->checkUser($Username,$Password,$User_Type);

        if ($rowsCount!=0){
            header("location:login.php?username=".$_POST['uname']."");  
        } else {
            echo '<script type="text/javascript">alert("Enter username and password correctly");
            window.location.href="LoginViewController.php";</script>';
        }
    }

I don't know why it is working like that.

Please help me to find out where I commit mistake.

I want to disable that browser back button after logout.

7
phphtml
This should help you : codeproject.com/Tips/549347/… - Brewal
is the user being passed around in the url via Parameters? And do you really mean to set the user in the session to something sent in by the user? - Doon
yes, i passed the username through url and get that username to display on my page.. - Kvk Ganesh
your session is recreated when you press the back button. - Mithun Sen
yeah, but how can i restrict that one... - Kvk Ganesh

7 Answers

8
votes

login.php page : 

<?php 
    if (isset($_POST['uname'], $_POST['pwd'], $_POST['type'])) {
        $Username = $_POST['uname'];
        $Password = $_POST['pwd'];
        $User_Type=$_POST['type'];
        if (!(empty($Username) || empty($Password) || empty($User_Type))) 
        {
             $model = new UsersModel();
             $rowsCount = $model->checkUser($Username,$Password,$User_Type);
             if ($rowsCount!=0)
             {
                  $_SESSION['user'] = $Username;
                  header("Location:LoginViewController.php");

             } else {
                  echo 'Bad user';
             }
        } else {
             echo 'Please, fill all inputs';
        }
    } else {
        echo 'Bad form sent';
    }
?>
<form name="f1" method="POST" action="" >
    // inputs
</form>

LoginViewController.php :

<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");

if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit();
}
echo 'You have successfully logged as '.$_SESSION['user']
?>

And add the headers to force the browser to revalidate the pages :

logout.php : 

<?php 
session_start();
session_destroy();
$_SESSION = array();
header("location: login.php");
?>
4
votes

This is caused by the browser cache that is keeping details in the page, if you refresh the page or you move any further in your private area you will be prompted to login page and you will not be able to see anything, assuming that your login check system is correctly configured.

You can otherwise force the browser to not cache the page and have a new request to the server for the page

header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
2
votes

You should do a redirect from your logout script.

For example:

header("Location: index.php");

You if user hits back next time, it'll go to the logout.php page again, where you can do the check again and redirect again :) It's an infinite loop if the user tries again.

1
votes

Here is my LoginController.php

  <?php

     header("Cache-Control: private, must-revalidate, max-age=0");
     header("Pragma: no-cache");
     header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");

//If you are submitting the form insert the details into database

   $Username = $_POST['uname'];
    $Password = $_POST['pwd'];
    $User_Type=$_POST['type'];
    session_start();

   If (!(empty($Username) && empty($Password) && empty($User_Type))) 
   {

    $model = new UsersModel();

    $rowsCount = $model->checkUser($Username,$Password,$User_Type);

    if ($rowsCount!=0)
    {
        $_SESSION['user'] = $Username;
       header("location:login.php");

    } else 
        {
        echo '<script type="text/javascript">alert("Enter username and password correctly");
        window.location.href="LoginViewController.php";</script>';
           }
        }

    }
     ?>

Here is my after Login page(login.php).. and displays the session user name and logout link

    <?php

      header("Cache-Control: private, must-revalidate, max-age=0");
      header("Pragma: no-cache");
      header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");

      session_start();
     if(!isset($_SESSION['user']))
     {
       header('Location: LoginViewController.php');
        exit();
       }
      echo '"<div style="background:white; text-align:right"> Login as:'.$_SESSION['user'].'
       <a href="Logout.php" style="text-align:right">Logout</a></div>"';
        ?>

Here is my Logout.php

   <?php
    header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
    header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
     session_start();
      session_destroy();
      header("Location: LoginViewController.php");
   ?>
0
votes
if (window.history) {
window.history.forward(1);
}
0
votes
header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
0
votes

Try this code on all pages except login page and login validation page.

session_start();

if (!$_SESSION['sesuname']) {
    echo "You are not logged in.";
    exit();
} else {    
    /* All other codes must be here */
}