ie "webpage has expired" on back button PHP session problem

On IE when user hits back button they get the classic IE "webpage has expired" message.

I have found that setting the following in my php.ini has solved this.

'session.cache_limiter=private'

However my problem now is when I send forms I include a PHP session value ($_SESSION['token']) in a hidden field. I then check this on the following page to see if token values match

echo "<form ......<input type='hidden' name='token' value='".$_SESSION['token']."' />";

/*on recieving page*/
if($_POST['token']==$_SESSION['token']){/*ok matched*/}
else{/*THIS IS WHERE THE ERROR OCCURS*/}

My problem is since adding this setting to my php.ini file I noticed when sending forms I get my custom page error as for some reason the $_SESSION['token'] value appears to change on the page receiving the form data thus making the if() statement return false? It's happening in all browsers now?

Here is my $_SESSION['token'] code (NOTE when sending my form it lands in the else() but value change开发者_StackOverflow中文版s of $_SESSION['token'] something to do with cache perhaps not retaining my $_SESSION values?

session_start()
if(!isset($_SESSION['token']))
{
            $token = md5(uniqid(rand(), TRUE));
            $_SESSION['token'] = $token; /*have to put current session token into this variable for hidden field in <form>*/
            $_SESSION['token_time'] = time();
}
else
{
            /*if token set ie user press back button on browser*/
            $token_age = time() - $_SESSION['token_time'];
            if ($token_age > 1200)
            {
                        /* More than 20 minutes has passed - regenerate. Do this so more likely wont timeout when user taking long time on <form> and token may not get refreshed before time limit*/
                        $token = md5(uniqid(rand(), TRUE));
                        $_SESSION['token'] = $token; /*have to put current session token into this variable for hidden field in <form>*/
                        $_SESSION['token_time'] = time();
            }

}

If any use heres my other php.ini session settings

session.cache_limiter=private
session.cookie_secure=1 ;my wholes site is SSL
session.cookie_httponly=1
session.save_path = /tmp ;directory to store sessions
session.save_handler = files
session.cookie_lifetime = 0 ;persistence cookie dies after browser closed
session.use_trans_sid = 0
session.use_only_cookies=1

Let me just clear something up guys, the reason this whole problem occurs is using the 'session.cache_limiter=private'. If I take this out theres no problem except I get a message in IE when hitting back button on a form page saying "Webpage expired". Is there any suggestions how to avoid that message occuring in IE when hitting the back button?

ini_set("session.cache_limiter", "must-revalidate");

Is that in HTML code?

<input type='hidden' name='token' value='".$_SESSION['token']."' />

If yes, try:

<input type='hidden' name='token' value='<?PHP echo $_SESSION['token']; ?>' />

:)

I never was too happy with the PHP built-in session functionality. Too many problems for me...

Are you initializing session handling with session_start()?

Are you sure that sessions are using cookies - not any Query-String / POST fields? (Check the generated HTML code in the browser).