hi
i have session time out set at 20 minutes in my php.ini, i also have
ini_set('session.cookie_lifetime',_1200);
in my scripts before session start();
which will also time out sessions after 20 minutes.
i have a couple of questions about session timeouts -
if the user's session times out, when the user tries to refresh the page, he gets an error page saying that his session has timed out. this works, however, if the user merely clicks his 'back' button, he can get to the previous page that he was on. this may be a security risk, if in the event he leaves his machine with the browser open, all someone would have to do to get to the previous page he was on, prepopulated with information from the previous session, would be to hit the 'back' button. what's the best way around this? i've looked into javascripts to disable the back button, but this doesn't seem like the most thorough solution.
can anyone suggest a good javascript popup message that will popup when the session is about to expire, alert the user of this, and give him the option of either continuing or redirect him to a login page to start another session?
thanks
philosophia
