tags:

views:

165

answers:

1
Q: 

Safari Back button not honouring PHP logout session

I've got a logout.php page which ends a user's session and works well and does the following:

session_start(); session_unset(); session_destroy();

I've just noticed when testing with Safari that when you logout you can click the back button to return to the previous page which requires authentication but are not prompted. You cannot navigate away from this page without entering the navigation but it should not be displaying the previous page in the first place.

So far in my testing this is only an issue with Safari on Mac OS X and there are a number of other reports about this but with no resolution that I could find:

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_23702691.html

I would love to be able to disable this behaviour with Safari's back button - surprised that this is happening in the first place.

Thanks, Steve

A: 

Ensure that any page you serve which requires authentication is being sent with suitable cache control headers. The page is being displayed from the browser cache, by providing cache control which explicitly forbids caching you should be able to stop this.

From http://php.net/manual/en/function.header.php

<?php
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
?>

Specifically for Safari, there's some discussion about caches and unload events, which you might be able to use to avoid caching. It seems that WebKit does have some complications with caching in general.

http://webkit.org/blog/427/webkit-page-cache-i-the-basics/

http://webkit.org/blog/516/webkit-page-cache-ii-the-unload-event/

ptomli  2010-06-09 14:05:38
Hi thanks for your comment. I've previously tried this to no avail. I just added them again and it's still loading the page which requires authentication. Problem seems to be with webkit based browsers such as Safari for Mac and the iPhone as well.
Steve Kemp  2010-06-09 14:13:53
I've added a couple of links. When you do the "login, logout, back" procedure, try using the Safari/Chrome developer tools to inspect the HTTP headers the browser has detected (Developer Tools -> Resources, click on the page entry on the left).
ptomli  2010-06-09 14:42:08
Thanks very much I will look into this - further searching had led me to the same conclusion re the onUnload event etc. Thanks
Steve Kemp  2010-06-09 16:20:05

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases