i'm having a problem and i can't find a similar question anywhere. i have a collection of scripts and with it a user authentication system to secure certain pages.
i have a script named login.inc.php with
session_start();
<--condensed code 🙂 -->
<see if "username" is set, if not form with variables "username" and "password">
<--end condensed code -->
global $username, $password;
session_register("username");
session_register("password");
i add an include('login.inc.php') at the top of every page that i want protected.
when a user logs out they call a script named logout.inc.php which has
session_start();
session_unregister("username");
session_unregister("password");
session_destroy();
everything seems to work fine. user can log in, navigate throught the secure pages, and log out. then user logs out i can see that all session variables are deleted and the sessionID is deleted from the servers tmp directory.
however, when a user hits back on their browser after they have logged out they are presented with "Warning: page has expired". Then, if they hit refresh they are presented with the secure page with all variables intact. i am assuming that this is a browser cache problem, but i thought that no-cache header functions were built into sessions.
i'm really lost on what to do. has anyone else experienced this? has anyone found a way to correct it? if so, could you please explain?
thanks!
