How do I prevent users from being able to "back" into page from a destroyed session?

I have created login functionality on my site, and when I click logout the page redirects and destroys session, which is fine.

However when I click the back button I can still view the page. I开发者_如何学Pythonf I refresh it, then it will redirect me to login as the session has been destroyed and the user does not have access to the page like expected.

Is there a way I can prevent the user from being able to view the page when they click the back button?

It may just be showing you the cached results.

Put echo time(); into the page somewhere, and then if you view the same time-string when you hit the back button it's just your browser caching the page, in which case it's harmless (they'll only be viewing information that they already had access to previously, which they could just as well have saved as a downloaded page anyway, so it's nothing to worry about).

session_destroy() only empties out the variables when the page is reloaded or redirected to another page. If the user goes back to the same page, the variables may still be usable after a session_destroy().

I would suggest to also unset each of the variables which should solve your problem. Example: unset($_SESSION['whatever'])

So upon your logout function first unset each variable, destroy the session and then re-route to another page.

Try to perform a

header( 'Location: http://mySerbver.com/anURL' );

after you did destroy the session. This makes returning to the previous page at least a bit more complicated. To go back, user has to click back twice.

If you'd like to make it even more complicated, perform

header( 'Location: http://mySerbver.com/myScript.php?onceMore=yes' );

and if the myScript.php finds

 isset( $_GET[ 'onceMore' ] )

then perform

 header( 'Location: http://mySerbver.com/myScript.php' );

once again.

myScript.php:

<?php

  // Force the browser to redirect once again
  if ( isset( $_GET[ 'onceMore' ] ) {
    header( 'Location: http://mySerbver.com/myScript.php' );
  }

  // else continue with normal stuff.
 ...         

Additionally, it might be of help to instruct the browser to not cache pages:

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");   // date in past

Please note, that browser may or may not respect this header. Thus, you probably need to send further cache related headers.

You can solve this problem with header() . I use the following code for logout:

session_start();
unset($_SESSION['logged_usr_id']);
unset($_SESSION['logged_f_name']);
unset($_SESSION['logged_l_name']);
unset($_SESSION['logged_email']);
unset($_SESSION['fname']);
unset($_SESSION['lname']);
unset($_SESSION['email_v']);
unset($_SESSION['email_cnf_v']);
unset($_SESSION['pass_v']);
unset($_SESSION['pass_cnf_v']);
session_destroy();

//i try to kill again sesion :D
foreach($_SESSION as $type => $value) {
    unset($type);
}
header( 'Location: index.php' );