Prevent back button after logout

Question

I don\'t want the user to go back to secured pages by clicking back button after logging out. In my logout code, I am unsetting the sessions and redirecting to login page.Bu

Answer 1

Implement this in PHP and not javascript.

At the top of each page, check to see if the user is logged in. If not, they should be redirected to a login page:

<?php 
      if(!isset($_SESSION['logged_in'])) : 
      header("Location: login.php");  
?>

As you mentioned, on logout, simply unset the logged_in session variable, and destroy the session:

<?php
      unset($_SESSION['logged_in']);  
      session_destroy();  
?>

If the user clicks back now, no logged_in session variable will be available, and the page will not load.

Answer 2

I was facing this same problem and spent whole day in figuring out it, Finally rectified it as follows:

In login validation script if user is authenticated set one session value for instance as follows:

$_SESSION['status']="Active";

And then in User Profile script put following code snippet:

<?php

session_start();

if($_SESSION['status']!="Active")
{
    header("location:login.php");
}

?>

What above code does is, only and only if $_SESSION['status'] is set to "Active" then only it will go to user profile , and this session key will be set to "Active" only if user is authenticated... [Mind the negation [' ! '] in above code snippet]

Probably logout code should be as follows:

{
    session_start();
    session_destroy();
    $_SESSION = array();
    header("location:login.php");
}

Hope this helps...!!!

Answer 3

Avoiding the user to go back is not a good reason and most of all not secure at all.

If you test the user's session before every "admin" action made on the website, you should be fine, even if the user hit the back button, sees the cached page and tries something.

The "ties something" will return an error since the session is no longer valid.

Instead, you should focus on having a really secured back office.