Hi Kevin, I don't well understand this part: > if active session { > // validate privs for this page Can you give small example? TIA, Stas
"Kevin Stone" <[EMAIL PROTECTED]> wrote in message 019501c2be78$4ad0dc30$6601a8c0@kevin">news:019501c2be78$4ad0dc30$6601a8c0@kevin... > Don, > > The only method that I have discovered to protect the login against the > back-button is to validate the session at the top of each and every > protected page. Forgive the psuedo code.. > > <? > if active session { > // validate privs for this page > // session start > }else{ > // logout > } > ?> > > When the back button is pressed it goes through this process, sees that > there is no active session, goes to else and shunts back to the login > screen. > > Hope that helps, > Kevin > > ----- Original Message ----- > From: "Bobby Patel" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, January 17, 2003 3:26 PM > Subject: [PHP] Re: Question about using session and "logging out" > > > > I believe there something (a meta tag?) called meta-refresh or just > > refresh. > > > > But I believe you have to set the refresh interval. and if you set the > > interval to small it might eat your server's resources. > > > > OR I just thought of this, sometimes when you get to a page (usually with > > forms?) it says that the page is expired and must be refreshed. Maybe you > > can get that behaviour, so that when someone hits back, they have to > > refresh. > > > > Bobby > > > > "Don" <[EMAIL PROTECTED]> wrote in message > > 020401c2be4f$c5420fd0$c889cdcd@enterprise">news:020401c2be4f$c5420fd0$c889cdcd@enterprise... > > Hi, > > > > I have an application that uses sessions to allow customers to access a > > restricted area. That is, they are prompted for a user login and > password. > > I then use sessions to track each customer. At the top of each page, I > have > > placed the following PHP code: > > > > session_cache_limiter('Cache-control: private'); > > session_start(); > > > > Everything works fine. However, I have a logout link that when clicked, > > runs the following PHP code (where userid is the login name): > > > > session_cache_limiter('nocache'); > > if (isset($HTTP_SESSION_VARS['userid'])) { > > $HTTP_SESSION_VARS['userid'] = ''; > > session_unregister($HTTP_SESSION_VARS['userid']); > > } > > session_unset(); > > session_destroy(); > > Header('Location: ' . 'http://www.lclnav.com' . $globals->relative_path . > > 'customerlogin_standard.html'); > > > > I think the above is all that is needed to end the session. I use the > > Header() function to take the user back to the login page. > > > > Here is my question: Once I click on the "logout" link and am taken back > to > > the main login page, I can click on the browser BACK button and still get > my > > previous page 'as if I was still logged in'. Please note that clicking on > > REFRESH tells me that I am not really logged in. > > > > I know that browsers cache pages and there may not be anything I can do, > > however, I have seen sites that seem to work around this; i.e.., clicking > on > > the back button loads a pages telling the user that they are no longer > > logged in. This is what I want to emulate. Is there a PHP method to > always > > force a reload the first time a page is called? > > > > Thanks, > > Don > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003 > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php