Don, The only method that I have discovered to protect the login against the back-button is to validate the session at the top of each and every protected page. Forgive the psuedo code..
<? if active session { // validate privs for this page // session start }else{ // logout } ?> When the back button is pressed it goes through this process, sees that there is no active session, goes to else and shunts back to the login screen. Hope that helps, Kevin ----- Original Message ----- From: "Bobby Patel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 17, 2003 3:26 PM Subject: [PHP] Re: Question about using session and "logging out" > I believe there something (a meta tag?) called meta-refresh or just > refresh. > > But I believe you have to set the refresh interval. and if you set the > interval to small it might eat your server's resources. > > OR I just thought of this, sometimes when you get to a page (usually with > forms?) it says that the page is expired and must be refreshed. Maybe you > can get that behaviour, so that when someone hits back, they have to > refresh. > > Bobby > > "Don" <[EMAIL PROTECTED]> wrote in message > 020401c2be4f$c5420fd0$c889cdcd@enterprise">news:020401c2be4f$c5420fd0$c889cdcd@enterprise... > Hi, > > I have an application that uses sessions to allow customers to access a > restricted area. That is, they are prompted for a user login and password. > I then use sessions to track each customer. At the top of each page, I have > placed the following PHP code: > > session_cache_limiter('Cache-control: private'); > session_start(); > > Everything works fine. However, I have a logout link that when clicked, > runs the following PHP code (where userid is the login name): > > session_cache_limiter('nocache'); > if (isset($HTTP_SESSION_VARS['userid'])) { > $HTTP_SESSION_VARS['userid'] = ''; > session_unregister($HTTP_SESSION_VARS['userid']); > } > session_unset(); > session_destroy(); > Header('Location: ' . 'http://www.lclnav.com' . $globals->relative_path . > 'customerlogin_standard.html'); > > I think the above is all that is needed to end the session. I use the > Header() function to take the user back to the login page. > > Here is my question: Once I click on the "logout" link and am taken back to > the main login page, I can click on the browser BACK button and still get my > previous page 'as if I was still logged in'. Please note that clicking on > REFRESH tells me that I am not really logged in. > > I know that browsers cache pages and there may not be anything I can do, > however, I have seen sites that seem to work around this; i.e.., clicking on > the back button loads a pages telling the user that they are no longer > logged in. This is what I want to emulate. Is there a PHP method to always > force a reload the first time a page is called? > > Thanks, > Don > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003 > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php