back button and session problem

AmadoR

hello.

i'm having a problem with an application i'm developing. i use sessions to control access through my pages once a user has logged in. eventually, the user hits a link which takes him to the 'log out page'.

here comes the problem: once the user loads the 'log out page', which destroys the session (and i've check that it does destroys it because i checked the sessions id files in the server's session folder), he can press the browser's BACK button and access to the web site again and continue browsing even though the session has been destroyed. only when he hits the RELOAD button of the browser, the checking script of each page notices that the user has no session authorization and shows the 'please log in again page'.

i've already added the no-cache headers i each page and the BACK button still allows the access to the previous page.

please please please help me please. thank you very much in advanced.

planetsim

the header no-cache bit isnt a reliable source..

The session once destroyed is still sort of active until the browser is closed or the user has moved elsewhere.

Now your problem about the user being able to press the back button and continue in the same session is a common problem..

I usually try and open/close a window..

So close the current window and create a new one (sort of like an onload statement) which will do both.. That way the user must log in again..

You could always try this

// HTTP/1.1
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);

// HTTP/1.0
header("Pragma: no-cache");

that way it does HTTP/1.0 and HTTP/1.1

HTTP/1.1 is starting to become more commonly used now.

AmadoR

my the cache header part is similar:

session_start();
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); 
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

but i want to understand why the sessions aren't working. are you saying that in PHP, even with the session destroyed and no chache headers the users will be able to explore my web site when they hit the BACK button? is the only way closing the window?

i don't know a lot o ASP, but i have access to some ASP applications that somehow, when you log out and hit the BACK button, the web site doesn't lets you to actually go back and loads a page telling you that.

the solution of closing/opening windows seems ok, but i have to do that with javascript. what happens if it is disabled in the user's browser?

is there a way i can reload the previous page so my session checking script can detect the lack of a session?

thanks again for your help.