0

When the user decides to sign out, they obviously do so by using a "Sign out" button.
When they do, this script is executed:

if(isset($_POST['submit_Logout'])){
    $_SESSION['backend']->logout();  //  see this function bellow
    unset($_SESSION['user']);  //  unset only this session since there are other sessions I'd like to keep
    session_regenerate_id(true);  //  makes sure the session id is updated, and the old one is discarded
    KD::notice('success',$success_LoggedOut);  //  adding a notice to another session
    KD::redirect('/');  //  redirecting the user using header();
    session_commit();
}

I'm just unsetting this particular session (user) since there's other sessions that keeps other data available, regardless if the user is logged in or not, to better the user experience.

The logout()-function looks like this - for now:

public function logout(){
    $this->accessible=false;  //  just a flag to check against (see bellow)
    $this->username='';  //  empty the username
}

Since I'm unsetting the session that holds the related user data, I just realized that this function is probably unnecessary. Alternatively move the unset part etc. into the function..

Anyway, I've come to experience that when a user has logged out, he/she, or somebody else for that matter, has the opportunity to just hit the backwards button in their browser, and voila, they can view the page(s). Of course, if they start clicking on any links, they gets thrown out. But the back-button is still available..

I believe this happens as a result of cached pages/views by the browser. So when they click the back-button, they see a cached page/view stored in the browser memory or something..

Since this page, or view, is loaded into my template trough a index.php page with a permanent <head>, there's not much I can do about the caching of these restricted pages/views. Or is there?

Deleting records from the browsers history is not possible? or preventing these pages from being recorded in the first place?

Point is. What I need to do, i believe, is to force the browser to always request the page from the server. So regardless if the user hits the back-button, or a link to a restricted page, the page should always reqest it from the server, and not the browsers memory..

Or am I not getting this correct?

If so. I do wonder how. How is this usually done?

I have this in my class

private $accessible = false;  //  when logged in, this is set to true
public function accessible(){
    return $this->accessible;
}

At the very top of the page that includes the views into the restricted area I have this: 

if($_SESSION['user']->accessible()===true):

Othervise the user is prompted with a login screen.
But that doesn't work as expected. This check is not performed when the user uses the back-button in their browser...

Thanks in advance..

UPDATE
Heres a quick overview of my structure/layout:

/*  
    when the user is logged in/out, the script that does that is executed up here. 
    That includes setting the sessions etc. aswell - which means, if the user is not logged in, the access will be set to false.
*/
<head>

</head>
<body>
    /*  
        Here I include different pages with php include;  
        These pages can be home.pg.php, contact.pg.php, and of course restricted.pg.php
        each of these pages includes different content (views as I like to call them) that is presented to the user based on their interaction.

        Now. When the user tries to access the restricted.pg.php, I have this at the top:
    */
       if($_SESSION['user']->accessible()===true):
           /*  now each view that is included here should be not accessable if accessable() is not true.  */
       else:
           /*  the user is presented with a login form  */
       endif;
</body>

Did this help?

ThomasK
  • 2,210
  • 3
  • 26
  • 35
  • after logout, is there a header redirect? – Kevin Sep 27 '14 at 01:58
  • Yes. `KD::redirect('/')` is `header('Location:/')` (in this case). I'm adding some comments to the question... – ThomasK Sep 27 '14 at 02:00
  • i don't understand that line, maybe you need to session commit first, before making a redirect, thats the most logical thing to do, do everything you need to do, then in the end, redirect – Kevin Sep 27 '14 at 02:03
  • The answer to your question is probably [here](http://stackoverflow.com/questions/9071838/force-reload-refresh-when-pressing-the-back-button). – wavemode Sep 27 '14 at 02:14

2 Answers2

1

All the pages that require some to login should have something like this,

session_start();
if(!isset($_SESSION['user']){
  //REDIRECT USER TO LOGIN PAGE
}

If its because of the browser caching issue that hitting back is taking you back to cached version of the page (even though user is logged out) then you should redirect the user twice (good practice).

what I mean is create a file called logout.php so when user clicks on logout button,it redirect the user to logout.php (that'll have the session unset code) and after that redirect user to login page.

so current page ----redirects to---> logout.php ----redirects to----> login.php
Himan
  • 379
  • 1
  • 7
  • I do have that - i believe. The page that loads the different views has this `if($_SESSION['user']->accessible()===true):` at the top. If this is `false`, they should get prompted with a login screen. That happens if I try to access any part of what's inside this block. But this check fails/does not execute when the users uses the back-button in their browser... – ThomasK Sep 27 '14 at 02:33
  • I just realized that I just reloads the page, unset the session, and then redirects the user to homepage when the user hits the log out button. This makes the previous page fully available trough the back-button. The method you're suggesting would make the last page the logut.php, which will send the user right back to login.pgp if they juse the back-button... I'll have to test that out. Only concerns I have in this regards is if the user opens the history of the back-button and choses another page before the logout.php.... – ThomasK Sep 27 '14 at 03:10
0

i think in every page you can just check whether a session is set or not. ex. Session::handlelogin('user')

then you can just make a function namely handlelogin in Session class

Class Session {

function handlelogin($user) {
  if (!isset($user)) {
     //redirect the user to your login page
  }
}

}

Notice: just set this up in top of the page if your using MVC architecture then you can set it up in the Controller

Session::handlelogin('user')

Robert Dean Pantino
  • 284
  • 1
  • 3
  • 12
  • I have this in my class `public function accessible(){ return $this->accessible; }` (set to `false` when not logged in). Then, at the very top of the page that includes the views into the restricted area I have this: `if($_SESSION['user']->accessible()===true):`. Othervise the user is prompted with a login screen. But that doesn't work as expected. This check is not performed when the user uses the back-button in their browser... – ThomasK Sep 27 '14 at 02:09
  • None in particular.. And it's not quite an MVC. It's basically my own setup.. But there's one page, that is included into index.php, that again includes the different views. Every view that is included into this page is suppose to be locked down behind the `accessible()` check.. – ThomasK Sep 27 '14 at 02:16
  • back/previous button in the browser shouldnt be an issue. Maybe the session and variable is not properly set after the logout. Have you check there values after logout?. – Robert Dean Pantino Sep 27 '14 at 02:19
  • Yes. The values is set back to default. Since I'm redirecting the user to the home page, the site is of course reloaded. And when the site loads, I'm checking to se if the session `user` is set. If not, which it isn't since I just unset it, I reinitiate the class with default values (`accessable = false`). This happens, of course, at the very beginning. Before any html is sent to the bowser.. – ThomasK Sep 27 '14 at 02:24
  • thats odd . since i doesnt know the structure/layout of the page/code. maybe you can just test if a user is login using session only (for now) and by not setting the $accessible first. then test if it still not validating – Robert Dean Pantino Sep 27 '14 at 02:29
  • i added a quick description of the structure. Maybe that helps? – ThomasK Sep 27 '14 at 02:57