Prevent users using the back button.

[eluser]richzilla[/eluser]
How can i prevent my users from using the back button on their browser to return to a secured area after theyve been logged out? at present i have a simple logout procedure:

Code:

function logout() {
            $this->session->sess_destroy();
            $this->load->view('site_view');
        }

and the login check for my secure pages is:

Code:

function secure() {
            if ($this->session->userdata('loggedIn') == TRUE) {
                $this->load->view('secure_page');
            }
            else {
                $this->session->set_flashdata('status','You must be logged in to view this page.');
                redirect('site');
            }

yet after my users have logged out of the page, they can still click the back button and return to the visited page?

any help would be appreciated.

Thanks.

[eluser]nEJC[/eluser]
These users are back and are actually not back.

Most browsers will not request previous page but will rather redraw it from cache.
This means that the previous page is displayed correct, but users authorization is still invalidated - they shouldn't be able to do anything (if you do proper checks on every controller authorized users use).

You could do some hacking with JavaScript (see http://www.boutell.com/newfaq/creating/backbutton.html) but disabling JS would again break your hack.

The best thing to do is actually (as I already mentioned) to check if user is still authenticated on every sensitive controller access ... this way you don't need to worry about back button.

[eluser]kurucu[/eluser]
You could also send the nocache headers, I think, so that pages are always requested.

Really you can't stop users pressing "back", that's their decision not yours. However
- as stated, some javascript would definitely be able to help (although annoying for your user)
- definitely secure all actions on the controller
- other options include using POST data for all actions so that the browser refreshes the page, or
- post secure pages through a redirect... thus the browser would re-request the redirecting controller on pressing back, and not the viewed page before it.
- HTTPS doesn't cache, as far as I know, so you could switch to that

No real nice solutions, I think the nocache is the cleanest but will enhance your server load.

Also, different browsers do different things, so read up on stopping caches well!

[eluser]GSV Sleeper Service[/eluser]
from my experience this is an issue with the default CI session library, I had exactly the same problem, but only in IE, I switched to the 'native sessions' library and everything works as it should.

[eluser]richzilla[/eluser]
does the standard php session have something equivalent to flash data? my site makes quite heavy use of it...

EDIT:

and i havent tested in IE yet, im not looking forward to opening that book...

[eluser]kurucu[/eluser]
No, but a) you could write a function that gets information from the session and then removes it
or b) you could write a class/extend one to do it at the top of each request
or c) I think there are some plugins that extend/replace CI session library with one that has the same interface, but uses PHP native sessions. This would mean you could drop it in and change none of your code.

See here: http://codeigniter.com/wiki/Summary_of_R...lugins.../
Under the heading Session Libraries you have Native Session and PHP Session which both look good.


But, needless to say, debug properly before changing everything!