Prevent users from returning after exiting

Question

I don't want the user to return to the protected page by clicking the back button after logging out. In my logout code I unset the session and redirect to the login page. However, I think the browser is caching the page, so it's still visible despite the session being destroyed by logout.

I can avoid this by not allowing browser caching

header("Cache Control", "No cache, no storage, must be re-validated")

But then I lose the advantage of browser caching.

Please suggest a better way to achieve this. I feel like there must be a way to handle this via the javascript client

Answer 1

I also encountered the same problem and spent a whole day to solve it, The final correction is as follows:

In the login verification script, if the user is authenticated, set a session value, such as the following:

$_SESSION['status']="Active";

Then put the following code snippet in the user profile script:

The function of the above code is that only and only if $_SESSION['status'] is set to "Active", it will go to the user profile, and only if This session key is only set to 'Active' when the user is authenticated... [note the negation [' ! '] in the snippet above]

The logout code should probably be as follows:

{
    session_start();
    session_destroy();
    $_SESSION = array();
    header("location:login.php");
}

Hope this helps...!!!

Answer 2

Implement this functionality in PHP, not in javascript.

At the top of every page, check if the user is logged in. If not, they should be redirected to the login page:

As you mentioned, when logging out, just unset the logging_in session variable and then destroy the session:

If the user clicks back now, no logged_in session variable will be available and the page will not load.