How can I disable the back browser button after user press logout and destroy session?
login.php page :
<?php
if (isset($_POST['uname'], $_POST['pwd'], $_POST['type'])) {
$Username = $_POST['uname'];
$Password = $_POST['pwd'];
$User_Type=$_POST['type'];
if (!(empty($Username) || empty($Password) || empty($User_Type)))
{
$model = new UsersModel();
$rowsCount = $model->checkUser($Username,$Password,$User_Type);
if ($rowsCount!=0)
{
$_SESSION['user'] = $Username;
header("Location:LoginViewController.php");
} else {
echo 'Bad user';
}
} else {
echo 'Please, fill all inputs';
}
} else {
echo 'Bad form sent';
}
?>
<form name="f1" method="POST" action="" >
// inputs
</form>
LoginViewController.php :
<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit();
}
echo 'You have successfully logged as '.$_SESSION['user']
?>
And add the headers to force the browser to revalidate the pages :
logout.php :
<?php
session_start();
session_destroy();
$_SESSION = array();
header("location: login.php");
?>
This is caused by the browser cache that is keeping details in the page, if you refresh the page or you move any further in your private area you will be prompted to login page and you will not be able to see anything, assuming that your login check system is correctly configured.
You can otherwise force the browser to not cache the page and have a new request to the server for the page
header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
You should do a redirect from your logout script.
For example:
header("Location: index.php");
You if user hits back next time, it'll go to the logout.php page again, where you can do the check again and redirect again :) It's an infinite loop if the user tries again.