back button takes the user back to protected page after logout -zend framework

0
votes

I have created a pages login , logout to access a control panel scenario goes like this: user logs in and accesss the cpanel page and them logs out Problem : when login is done if user click on browser back button user goes back to login page even though authentication is done and sessions are set, at the same time if user logout , and click back button it will return back to control panel page (if user refresh the page then everything seems to be fine and usr will be redirected to login and back button won't redirect her to cpanel ) .

The problem is browser cache , I tried with both php header and html meta to prevent the page from caching but I could not succeed . Any solution to this?

My logout action code is as follow 

public function logoutAction()
      {   
         $auth=Zend_Auth::getInstance();
      //If logged in then move to index
         if(!$auth->hasIdentity()){
           $this->_redirect('admin/account/redirect');

      }
         $auth->clearIdentity();
      $this->_redirect('admin/account/redirect');

   }
4
phpzend-frameworkzend-auth
Looks to me like you are right on by focusing on browser caching. As you note, if he reloads one of those pages, your auth-check kicks in and redirects him to login. I'd focus attention on fixing the headers no-cache you are sending for pages on which you do not want caching.David Weinraub

4 Answers

1
votes

You could always run a piece of javascript onLoad that requests another PHP page using AJAX and then if the user is logged in then redirect them back to the CPanel or Login page, wherever they are supposed to be.

JQuery post would handle this quite nicely. http://api.jquery.com/jQuery.post/

1
votes

Browsers can behave differently, so what browser are you using?

Also, why bother checking if the user has an identity when logging out? Just clear the identity regardless of whether the user is logged in or not - less code, the better...

My logout code looks like:

    $auth = Zend_Auth::getInstance();
    $auth->clearIdentity();
    $this->_redirect('/identity/login');
0
votes

This is what I have in my logout action

Zend_Session::destroy();
$this->_helper->redirector('index', 'index');

And since the Zend_Auth identity is saved in a session, it gets destroyed as well. If I do a back (from the navigator) the absence of identiy is catched and I am redirected to the login screen

0
votes

The method I would use is force the login page to take place in a new window instance. When the user logs out, close that window. There will be nothing to go back to.

The alternative is to use sessions and do a POST every time the user moves to a new page. Hitting the back button here would require the content to be POSTed again, but the session would be closed and the request would fail.