Prevent caching

Anon

I have a page which checks if a cookie is set, if so the user can add data to a database.

If you press 'Log out', the cookie is deleted and the user redirected to another page.

But when the user hits the Back-button of his browser, the previous page is shown correctly although the cookie is deleted.

I already use the following code in the first (secured) page:
<?php
// Make page not cachable (insist on refresh)
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");// always modified
header("Cache-Control: no-cache, must-revalidate");// HTTP/1.1
header("Pragma: no-cache"); // HTTP/1.0

razorsedgeuk

I think that EVERY page that you want to check must see if the session or cookie or whatever is set.

If not set, then jump to the login page automatically by using

header('Refresh: 0;URL=/login.htm');

This seems to be working for me.

Regards,

Richard Quadling.

Anon

Actually, I do that (every pages checks of the cookie is set and if a corresponding record exists in the db)

My code:

<?php
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");// always modified
header("Cache-Control: no-cache, must-revalidate");// HTTP/1.1
header("Pragma: no-cache"); // HTTP/1.0

if(!isset($Login))
{
header ("location: http://www.mysite.com/index.php");
}
else
{
include ("connectdatabase.php");

$sqlquery = ("SELECT Ses, User, IP, Begin, End FROM Active WHERE Ses='$Login'");
$result = mysql_query($sqlquery) or die ("Error: Unable to execute query 3"); 
$row = mysql_fetch_array($result);

if (!(($row['IP'] == $REMOTE_ADDR) && ($row['End'] == '0000-00-00 00:00:00')))
{
	setcookie("Login", "", "", "/" );
	header ("location: http://www.mysite.com/index.php"); 
	mysql_close();
}
else
{

razorsedgeuk

Are you using PHP 4's sessions?

Are cookies being allowed on the browser?

Are you running any cookie-blockers?

Out of interest, if you change location to refresh, does that make a difference?

Having said that, you are pressing BACK. The browser may well be using a local image (somehow) of the page, or one of the servers along the route is caching it.

During the Logout bit, do you clear out the cookie? You may want to set it to LOGGED_OUT and test that too.

Not sure.

I am using the headers like you and if I press back, I get an expired message (as I expect to get).

Richard.

Anon

Hi, I usually work with the session functions like this:

I place session_destroy on the logout page (= my login page; index.php) to unset all cookies.

In anology to Richard and Ron, I use a cookie check on every page on my site. If you already include some kind of

include "mylib.inc"

on all your pages, you can place the cookie check in the library. Here's the check:

session_start();
if(!isset($user)) die ("You are not logged in.<br><br>\n\n<a href=index.php>Login</a>");

Is back-button-proof. 😉

Anon

"Are you using PHP 4's sessions?"
No (I'm using PHP3, with my code I'm trying to have some sort of custiom session system)

"Are cookies being allowed on the browser?"
Yes

"Are you running any cookie-blockers?"
No

"if you change location to refresh, does that make a difference?"
No

"During the Logout bit, do you clear out the cookie? You may want to set it to LOGGED_OUT and test that too."
I use setcookie("Login", "", "", "/" );

razorsedgeuk

You use isset to see if $Login is there.

Can you amend the code to see if it is zero length also.

You MAY (I cannot guarantee this), that the cookie IS present, it is simply empty, so isset is TRUE, but strlen() is 0.

Perhaps.

Richard.

Anon

After a couple of days I 'solved' the problem.

The script was ok, but I was testing it on my pc at work, which is in a netwerk with WinGate. WinGate was the problem; it caches the secured webpage.

Ron,
The Netherlands