Using the back button after logging out

alspaughb

I have coded my login form to submit a user name and password. If the user name and password are valid, I register a session variable with the verified user name. My protected pages check for the presence of the session variable before they display their contect. When the user logs out, the session is destroyed. This works fine until I discovered you can use the back button to redisplay the protected pages after logging out.

How can I prevent using the back button to redisplay the protected pages after logging out? It should be possible to do this because web-based email programs like Hotmail and Yahoo Mail can prevent someone from using the back button to read the last person's email after they logged out.

Weedpacket

You can unset the relevant session variables.

Bijan

You mean we shouldn't leave the session destruction to the browser and unset it ourselves, right? Does it work even if you go off line and try to see the previous pages?

alspaughb

I followed Example 2 on the PHP manual web site when you search on the function session_destroy. I am using superglobals, so I did $_SESSION = array(); to get rid of all the session variables followed by session_destroy().

The problem seems to be that the browser is caching the protected pages. If I log out, unplug the network cable, and hit the back button, the pages still appear. How do I prevent this?

Weedpacket

There is some code on the [man]header[/man] page, designed to make it Very Very Clear to even dim browsers (and proxies) that they're not supposed to cache the following content.
It's not 100% guaranteed to work, of course, because in the end there is no obligation that software on the client machine has to do what the server tells it; but it's 99+% solid.