Codeigniter Session cannot be closed

Question

I am developing application using codeigniter. In this application, when user clicks logout button I unset the session, but when i click the back button in my browser I am getting the last logged out page.

How to solve this problem?

Answer 1

          ##Add this Code in Constructor ##
     ## start Constructor ##
            //**********  Back button will not work, after logout  **********//
        header("cache-Control: no-store, no-cache, must-revalidate");
        header("cache-Control: post-check=0, pre-check=0", false);
        // HTTP/1.0
        header("Pragma: no-cache");
        // Date in the past
        header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
        // always modified
        header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 
    //**********  Back button will not work, after logout  **********//
   ## End Constructor ##

public function index(){

        redirect('home/logout');
    }

public function home() { 

               $this->form_validation->set_rules('username', 'User', 'trim|required');
               $this->form_validation->set_rules('password', 'Password', 'trim|required');
               if($this->form_validation->run() AND $data['records'] =$this->task_model->check_login()) 
                     { 
                     $this->session->set_userdata('logged_in',TRUE);
                     $this->load->view('home'); 
                    }
                    else {
                       redirect('task/logout'); 
                       }
                  }

      public function logout(){ 
          $this->session->unset_userdata('userid');
          $this->session->unset_userdata('username');
          $this->session->destroy();
          redirect(base_url());
        }

Try this .It will solves the "back" button problem

Answer 2

I have already this kind of thing, and what i did is this:

in your htaccess:

 <IfModule mod_headers.c>
 Header add Cache-Control:  "no-store, no-cache, must-revalidate"
 </IfModule>

I idea with your problem is that, you have to clear the cache automatically so that once you unset the session you cannot go back to the previous page (i mean view the last page).

same idea if you were trying to do it in php.

/* content security */
function weblock() {
    $ci =& get_instance();
    $ci->load->library('session');
    $ci->load->model('mlogin');

    // clear cache to prevent backward access
    $ci->output->set_header("Cache-Control: no-store, no-cache, must-revalidate, no-transform, max-age=0, post-check=0, pre-check=0");
    $ci->output->set_header("Pragma: no-cache");

    // prevent unauthenticated access
    if($ci->session->userdata('user_data')==FALSE) { redirect('clogin/logout');}
    // prevent invalid authentication
    if(!$ci->mlogin->authenticate()) { redirect('clogin/logout'); }
}

try to create a function like this. just call it on every construct if your controller.

hope this enlightens you :)

Answer 3

A solution would be to use POST, and the pattern PRG (POST-REDIRECT-GET):

Create a logout button:

<?php echo form_open('logout');?
<button type="submit">Logout</button>
<?php echo form_close();?>

In your controller:

public function logout{

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  // destroy session
  $this->session->sess_destroy();
  // redirect to other page
  redirect('login', 'refresh');
 }
}

This solves the "back" button problem, and also helps against CSRF attacks