Reputation: 2965
Stopping the back button from exposing secure pages?
I'm encountering a (apparently common) problem with browser caches, and my secure pages being accessible via the back button (after user logout.)
Here is my logout.php
<?php
// 1. Find the session
session_start();
// 2. Unset all the session variables
$_SESSION = array();
// 3. Destroy the session cookie
if(isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// 4. Destroy the session
session_destroy();
redirect_to('index.php?logout=1');
?>
This successfully logs out users on IE7, IE8, Chrome and Firefox--but in Safari, I'm able to press the back button (immediately after logging out) and still see the secure content. If I refresh the secure page, it boots me to the login screen (as it should.)
I've tried using:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
...but it has no effect. Can anyone offer any advice? I've found this article on browser caching, but I have yet to find an answer within it... although I did find:
<?php
Header("Cache-Control: must-revalidate");
$offset = 60 * 60 * 24 * 3;
$ExpStr = "Expires: " . gmdate("D, d M Y H:i:s", time() + $offset) . " GMT";
Header($ExpStr);
?>
...which also does not solve the "problem." Hmm.
Upvotes: 6
Views: 5366
Answers (3)
Reputation: 63529
If you can use HTTPS, this combined with a Cache-control: no-cache header will disable the "page cache" (the WebKit term for in-memory/back-forward cache). The downside of this is that it will be disabled for all secure page views, not just after log out. (Source; note they are working on allowing exceptions, it's worth keeping an eye on this.)
If you can depend on JavaScript, attaching an unload event handler will prevent the "page cache". This has the benefit of also allowing you to only break the cache when a "log out" button or link is clicked, by only then attaching the unload event handler. (Source)
Neither of these solutions are ideal, but one of them might be a worthwhile compromise.
Upvotes: 3
Reputation: 12010
Part of the problem is that you're setting an Expires header in the future. Browsers use the Expires header as an indicator of how long something should stay in cache. Try this:
$offset = 60 * 60 * 24 * 3;
$ExpStr = "Expires: " . gmdate("D, d M Y H:i:s", time() - $offset) . " GMT";
Header($ExpStr);
This will set an expires header in the past, and force the browser to re-request the page every time.
Upvotes: 0
Reputation: 10609
This would appear to be a webkit/Safari problem. This has been asked before without a definitive answer here - Safari Back button not honouring PHP logout session
Take a look at the links in the answer, I think you'll find your answer in the Unload Event.
Upvotes: 1
Related Questions
- Logged out sessions get restored by back button
- How to prevent a php page from browser back button?
- How to prevent back button from refreshing the previous page on HTTPS?
- Session Issue with Back Button
- prevent browser back button cache
- PHP Prevent going back page after log out
- PHP session back button?
- prevent back button after logout page
- Altering the back behaviour in the browser PHP
- Best practices for securing return to previous page after login or back link url