Browser's BACK Button Problem

[suma237]

 

I actually want to deactivate the browser's "back button" action when a user has accidently forgot to logged out his session and opened another website in the same window without logging out his session.  I have noticed such faults with rediffmail.com. 

[trq]

I actually want to deactivate the browser's "back button" action

 

Can't be done.

[suma237]

Dear Thorpe,

 

Is there any other ways to solve this problem ?

[aniesh82]

hello Suma,

 

what is the problem with opening another tab in the same window ?

[suma237]

hi Anish  ..  i suppose the problem is not clear, just take an example .. I have logged into my rediffmail account and after accessing my inbox i've opened another website without logging out my rediff  account in the same window , then i l left my PC for a while and somene else purposefully click the back button and accessed my rediff mail accound .  i just want to avoid that  ..  hope now  the issue is clear

[ToonMariner]

opening a new window will still maintain the session - so if they know the url of the secure page you were logged into then they will access it too - providing the timeout has not been surpassed.

[suma237]

Is there any other ways to end the secured pages session while opening other website in the same window ?

[ToonMariner]

yes - logout!

[suma237]

guru'ji

 

thanks for the advice,  but i am looking for a page with a message like "your session has been expired" or "Please sign in back"  while clicking on the browsers back button

[ToonMariner]

Why are you looking for this page? It is your webmail that controls what you see/don't and how your sessions are handled. Unless you have any access to the server and can actually make any changes then you won't be able to integrate anything there.

 

Bottom line is that the easiest thing to do is NOT try to absolve yourself from any responsibility by trying to automate your security and just logout - if you can remember to do that then you will be fine. If you are using a terminal that may be used by others then don't save any passwords for pages etc.

[suma237]

thanks.  and sorry to ask silly questions again ,

 

could you please explain me how to prevent others from from accessing the secured page by "back button" once i've successfuly logged out my session.  I need to set the page to ask the user to login again with the correct password

[aniesh82]

 

You can do this by using a function to check whether the session exists or not. If not exist then redirects to login page. I think u got it?

[ToonMariner]

thanks.  and sorry to ask silly questions again ,

 

could you please explain me how to prevent others from from accessing the secured page by "back button" once i've successfuly logged out my session.  I need to set the page to ask the user to login again with the correct password

 

Close your browser down completely.

 

this means all windows of your browser not just the one that page was opened in.

 

 

[suma237]

could you please post the code for logout ?.

After logout i want to inactive the back button of the address bar .

[ToonMariner]

no - the logout is the script that your webmail provide has - they will use their own logout code. If you simply logout adn close your browser than no one will be able to click teh back button.

 

THERE IS NO SCRIPT THAT CAN HELP YOU ON THIS. JUST BE A RESPONSIBLE SURFER AND CLOSE THINGS DOWN IF YOU KNWO SOMEONE ESLE MAY USE THE MACHINE AFTER YOU.

[Illusion]

Use session_destroy() on the log-off page and unset the each session variable using unset().

[ToonMariner]

this is his rediff mail account - he has no access to the scripts on the server.....

[Illusion]

this is his rediff mail account - he has no access to the scripts on the server.....

I think you misunderstood the thing. She is not asking about the rediff mail and she has given it as a example for the case.

 

 

[suma237]

hi toon ..hope my query is still not clearly expressed/ understood..    i mentioned rediffmail as just an example . i'm developing a new website with login facillty and i want to redirect the user to login page once he logged out his session .

[Illusion]

once user click on logout.php

<?php
session_start()
echo "logging off..............."
session_destroy();
unset($_SESSION['user']);
unset($_SESSION['var2']);
.
.

.like that all the session variables
http_redirect ( www.site.com/login.php, "" ,session = FALSE , "")
?>

session = FALSE also kills the session information.

 

 

 

[ToonMariner]

OMG all aplogies - I was getting a bit tired of this thread as I thought it was about logging out of your redffi account

 

 

ok logout is like illusion sadi but very simple

 

if the user logs out use

 

<?php
session_unset(); // this unsets all session vars.
session_destroy(); // destroys session.
?>

 

BUT the browser may still store the headers it sent in a cache so if they hit back until they hit the page that processes the login info they get the sesion expired message - if they hit refresh it will send the info agin an possibly log them in

again.

[suma237]

my code

<?php session_start();

session_unset();

session_destroy();

?>

 

 

<?

header('Location:dlfhome.php');

?>

 

BUT the browser  still show the pages that already opened before logout.

 

Thanks

[Illusion]

How about

<meta http-equiv="cache-control" content="no-cache">

which clears the entire history.No back button is displayed after that.

 

I know it is a bad practice, with out user permissions we are going to clear his history, which may be valuable to him.