How can I not allow a user to go back after logout in PHP?

Question

I just wrote a PHP login script, and what I'm trying to accomplish is that when the user click to the log out link, after they log out, regardless clicking the back button of the browser, they cannot access the page.

Here is the logout function:

//Start the Session
session_start();
session_destroy();

header("location:login.php");
exit();

I did place the following code on all the pages, and this seems not do the job:

header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");    // Date in the past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header ("Cache-Control: no-cache, must-revalidate");  // HTTP/1.1
header ("Pragma: no-cache");

//Start the Session
session_start();

Any suggestions?

Answer 1

Just redirect if there's no login $_SESSION, for example:

//on your protected pages
session_start();
if(!$_SESSION['logged']) {
    header("location:login.php");
}

This is what my logout does:

session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
 setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();

Answer 2

Check when the user is logged out if the session global is still set with the correct value.

print_r($_SESSION);

The reason for this is that you are doing a session_destroy and then a header redirect, what happens is that you force a redirect and the destroying of the session isnt written to the server that way.

Answer 3

You can't control the workings of the client-side back button on the server. You could destroy the history data using javascript on the client.

The client can completely ignore the no-cache headers.

Answer 4

I would suggest that you use HTTPS with SSL. You can close the SSL session and kick the user back out to a non-encrypted page.

Most browsers implement caching schemes differently.

For example, in Opera you can click Back and it will pull the page data directly from memory without sending any data to the server, even in the page has expired. If you hit Refresh, of course, your server would require the login.

In Internet Explorer, it's handled very differently and form data is resubmitted to the server.

Answer 5

It might be your session_destroy() functions. Try this:

unset($_SESSION);

Un-setting the *$SESSION variable will clear out anything stored here.

Check out unset() on PHP.net

Answer 6

I think you need to store something in the session and then check it on each page load. Here's how I've done it in the past

Login Script (simplified)

session_start()
// register necessary session variables
$_SESSION['username'] = $username;

Logout Script:

session_start();

// destroy the session and check to make sure it has been destroyed
session_destroy();
    if(!session_is_registered('username')){
     $loginMessage = 'You have been logged out.';
     include 'index.php';
     exit();
    }

// if we're still here, some bad juju happened

Top of Every Page

session_start()

// make sure user is logged in
if (!$_SESSION['username']) {
    $loginError = "You are not logged in.";
    include("index.php");
    exit();
}

---

Answer 7

$_SESSION['blah'] = '';

This works too..