Prevent back button after logout




down vote

Add the below code inside script tag in the login HTML page (or whichever page it redirects to after logout)
<script>
    history.pushState(null, null, null);
    window.addEventListener('popstate', function () {
        history.pushState(null, null, null);
    });
</script>
It will disable the back button. You will not be able to go back by clicking on the back button.
Note: Not tested on Safari.

//


Note that although users can't change anything after resetting session data and/or cookie, they still may see usual information accessible to a logged in user as they appeared on the last visit. That is caused by browser caching the page.
You have to be sure to add the header on every page accessible by a logged in user, telling the browser that the data is sensitive and they should not cache the script result for the back button. It is important to add
header("Cache-Control: no-cache, must-revalidate");
Note that those other elements other than the immediate result of the script under this header, will still be cached and you can benefit from it. See that you gradually load parts of your page and tag sensitive data and the main HTML with this header.
As the answer suggests, unsetting the logged_in portion of $_SESSION global variable can achieve logging out, but be aware that first, you don't need to destroy session as mentioned in the PHP's session_destroy() documentation
Note: You do not have to call session_destroy() from usual code. Cleanup $_SESSION array rather than destroying session data.
And second, you better not to destroy the session at all as the next warning on the documentation explains.
Also, unset() is a lazy function; meaning that it won't apply the effect, until next use of the (part of the) variable in question. It is good practice to use assignment for immediate effect in sensitive cases, mostly global variables that may be used in concurrent requests. I suggest you use this instead:
$_SESSION['logged_in'] = null;
and let the garbage collector collects it, at the same time it is not valid as a logged in user.
Finally, to complete the solution, Here are some functions:
<?php
/*
 * Check the authenticity of the user
 */
function check_auth()
{
   if (empty($_SESSION['logged_in']))
   {
      header('Location: login.php');
      // Immediately exit and send response to the client and do not go furthur in whatever script it is part of.
      exit();
   }
}

/*
 * Logging the user out
 */
function logout()
{
   $_SESSION['logged_in'] = null;
   // empty($null_variable) is true but isset($null_variable) is also true so using unset too as a safeguard for further codes
   unset($_SESSION['logged_in']);
   // Note that the script continues running since it may be a part of an ajax request and the rest handled in the client side.
}



Here's an easy and quick solution.



To the login form tag add target="_blank" which displays content in a different window. Then after logout simply close that window and the back button problem (Safari browser) is solved.



Even trying to use the history will not display the page and instead redirect to login page. This is fine for Safari browsers but for others such as Firefox the session_destroy();takes care of it.











In login validation script if user is authenticated set one session value for instance as follows:


$_SESSION['status']="Active";



And then in User Profile script put following code snippet:


<?php

session_start();

if($_SESSION['status']!="Active")
{
    header("location:login.php");
}

?>



What above code does is, only and only if $_SESSION['status'] is set to "Active"then only it will go to user profile , and this session key will be set to "Active" only if user is authenticated... [Mind the negation [' ! '] in above code snippet]



Probably logout code should be as follows:


{
    session_start();
    session_destroy();
    $_SESSION = array();
    header("location:login.php");
}



Hope this helps...!!!











Implement this in PHP and not javascript.



At the top of each page, check to see if the user is logged in. If not, they should be redirected to a login page:


<?php 
      if(!isset($_SESSION['logged_in'])) : 
      header("Location: login.php");  
?>



As you mentioned, on logout, simply unset the logged_in session variable, and destroy the session:


<?php
      unset($_SESSION['logged_in']);  
      session_destroy();  
?>



If the user clicks back now, no logged_in session variable will be available, and the page will not load.

Comments

Post a Comment

Popular posts from this blog

How to add image, header, and footer in PDF | PHP FPDF Tutorial Final

Image
PHP to PDF  Final DOwnload: https://drive.google.com/drive/u/0/folders/1NSytJFuo4ahcMTPcc6MwxjyuM51l3e_5 https://drive.google.com/drive/u/0/folders/1NSytJFuo4ahcMTPcc6MwxjyuM51l3e_5 https://drive.google.com/drive/folders/1-GjvRO6OIlwLQngwe2_sQte1quEfjkTR http://www.fpdf.org/en/doc/ ///---------- https://www.elated.com/articles/create-nice-looking-pdfs-php-fpdf/ Create Nice-Looking PDFs with PHP and FPDF The PDF format can be a handy way to distribute documents to your visitors. A PDF document is self-contained, looks the same on any PDF reader, and is easy to print. PDFs are often used for reports, brochures, manuals, invoices, product data sheets, and lots more. Often it's useful to be able to create PDF documents dynamically from within a PHP script. For example, you can produce a custom PDF report based on a user's preferences and include up-to-the-minute data. In this tutorial I'll walk you through the process of c...
Read more

log in with facebook , paypal, php to pdf

Image
https://www.patreon.com/codetube Code Tube is a youtube channel that provides tutorials on jquery, bootstrap, javascript, java, php, mysql and others, we need funds to build this channel, because we also have to pay for hosting and domain to save the file to download and pay for software to make this video and others. Youtube channel (Code Tube) can be accessed at  https://www.youtube.com/c/kautubecodeghazali and we save file source code jquery or bootstrap (.zip file) at  http://kautube.com  for visitor/user download that file. Follow me: https://www.facebook.com/mycodetube/ https://plus.google.com/+kautubecodeghazali https://www.twitter.com/tghazalipidie RECENT POSTS BY CODE TUBE Code Tube Sep 29, 2017 at 2:23pm How to create Login with Google and PHP MySQL How to make Login with Google and PHP MySQL google custom login, google login api php, google plus login php Log in ...
Read more

How to make awesome stylish comment input box in PHP language for my website.

Image
In this tutorial we are creating comment input box for websites into PHP scripting language. We are storing comments directly into MySQL database so website admin can assess them using PhpMyAdmin control panel. This forms are designed with custom style CSS code that makes the input files more big and gives hover effects. So here is the complete step by step tutorial for Create PHP comment box using MySQL database and Store entered comments into DB. How to Create PHP comment box using MySQL database and Store entered comments into DB. Code for comment.php file.  <!doctype html> <html> <head> <meta charset="utf-8"> <title>Comment Box</title> <style> body{ margin:0px; font-family:Baskerville, 'Palatino Linotype', Palatino, 'Century Schoolbook L', 'Times New Roman', serif; } input[type=text], select { width: 100%; border-radius: 5px; margin: 7px 0; border: 1px solid #ccc; padding: 14px 18px; ...
Read more