Search code examples
phpsessionbufferinglogin-script

prevent user fom logging back in after logging out by hitting back button

I am using a PHP login script that challenges user for username & password.

Once authenticated program stores a session value. On logout, session value is set to blanks.

Once logged out I want to avoid allowing user hitting the back button a few times and and betting allowed to see screen of data or accidentaly logging himself back in.

I am using sessions, a re-direct to send validated user to a new page. I am also using ob_start, ob_flush and ob_end_clean to prevent error or re-direct.

Questions: Is this really secure? Is this a common approach?
Is there alterternative to buffering?

below is a small proof-of-concept.

<?php
header("Cache-Control: no-cache, must-revalidate"); 
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");  
header("Pragma: public"); 
session_cache_limiter('nocache');
// I'm not sure how effective any of the above seem to be.

session_start();

// start buffering because if we use header later we want to avoid error
ob_start();

echo "Type <b>in</b> or <b>out</b> to login/logout<br>";
?>

 <form action='' method='POST'>
 <input type='text' name='status' size='10' value=""><br/><br/>

 <p>&nbsp;</p>
 <input type='submit' name='Login' value='Login' /></form></p>

<?php 
 if ($_POST['status'] == 'in')
 {
  $_SESSION['logged_in'] = 'in';  
  ob_end_clean();  // clean and erase buffer so far
        header('location:test2.php');        
        exit;
 }

 if ($_POST['status'] == 'out')
 {
  $_SESSION['logged_in'] = 'no';
  echo "you are logged out <br>";

 }
 ob_flush();   // push output
 echo "login status = " . $_SESSION['logged_in']  ;

?>



file test2.php
<?php
echo "You have logged in"; 
?>
Solution

  • What you need is a proper logout method rather than testing session data. You want the session to be wiped competely. Here is an example that logs the user in and logs the user out and also checks if the user is logged in. When you click the logout page you're automatically logged out and redirected. Clicking back won't change anything you still won't be logged in.

    login.php

    session_start();
$valid = someLoginFunctionHere();
if($valid) {
     $_SESSION['isLoggedIn'] = true;
     header("Location: homepage.php");
}

    homepage.php

    session_start();
// If they are not logged in, send them to login page
if(!isset($_SESSION['isLoggedIn'])) {
    header("Location: login.php");
}

// Normal homepage stuff
...

    logout.php

    session_start();
session_destroy();
header("Location: login.php");

    Hope this helps demystify sessions a bit for you.