Geek Answers Handbook

How can I prevent the user from returning after going to PHP?

I just wrote a PHP login script, and what I'm trying to execute is that when the user clicks on the logout link, after logging out, regardless of clicking the browserโ€™s back button, they cannot access the page .

Here is the exit function:

//Start the Session session_start(); session_destroy(); header("location:login.php"); exit();

I posted the following code on all pages, and this does not seem to do the job:

 header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past header ("Last-Modified: " . gmdate("D, d MYH:i:s") . " GMT"); header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); //Start the Session session_start();

Any suggestions?

+7
php
source share
8 answers

Check when the user is logged out if the global session is still set up with the correct value.

 print_r($_SESSION);

The reason for this is that you execute session_destroy and then redirect the header, what happens is that you force redirect, and session destruction is not written to the server in this way.

+2
source share

You cannot control the operation of the back button on the server on the server. You can destroy history data using javascript on the client.

The client can completely ignore no-cache headers.

+8
source share

Just redirect if there is no login $ _SESSION, for example:

 //on your protected pages session_start(); if(!$_SESSION['logged']) { header("location:login.php"); }

This is what makes my output:

 session_start(); // Unset all of the session variables. $_SESSION = array(); // If it desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } // Finally, destroy the session. session_destroy();
+2
source share

I think you need to store something in the session, and then check it out on loading each page. Here's how I did it in the past

Script input (simplified)

 session_start() // register necessary session variables $_SESSION['username'] = $username;

Script Output:

 session_start(); // destroy the session and check to make sure it has been destroyed session_destroy(); if(!session_is_registered('username')){ $loginMessage = 'You have been logged out.'; include 'index.php'; exit(); } // if we're still here, some bad juju happened

Top of each page

 session_start() // make sure user is logged in if (!$_SESSION['username']) { $loginError = "You are not logged in."; include("index.php"); exit(); }
+2
source share

I would suggest that you use HTTPS with SSL. You can close the SSL session and push the user to an unencrypted page.

Most browsers implement caching schemes in different ways.

For example, in Opera, you can press "Back", and it will pull the page data directly from memory without sending data to the server, even on the page has expired. If you click Refresh, of course, your server will require a login.

In Internet Explorer, it is processed in a completely different way, and the form data is re-sent to the server.

0
source share

These may be your session_destroy () functions. Try the following:

 unset($_SESSION);

Unsetting the $ _SESSION variable will remove anything that is stored here.

Refuse unset () on PHP.net

0
source share
 $_SESSION['blah'] = '';

This also works.

0
source share
 <? session_start(); if(!isset($_SESSION['username']) && !isset($_SESSION['password'])){ header("Location:../index.php"); exit; } else{ session_destroy(); } ?>

it really helps me .. paste this on every page or on the page where you go out

 <?php session_start(); session_unset(); session_destroy(); header("Location:../index.php"); exit;

and as simple as this when destroying a session

0
source share

More articles:


All Articles