I have Apache running PHP on a windows machine.
On my local website, if I log out as user the cookie is being emptied and after header redirect I'm no longer logged in on the site. On paper.
But I can still use the browser back button and see the content that is meant for logged-in users only.
But refreshing the page indeed shows that I am logged out and the content is not shown. But the back-cache disagrees.
On my live website that uses https there is no problem with back-cache like that. But on local server, it happens.
How can I fix this?
This is what I use when a user logs out:
<?php
// LOG OUT
setcookie('cookie', '', time()+31449600, '/', NULL, FALSE, TRUE);
exit(header('Location: http://localhost/'));
?>
I use these headers in my php config file included on all php pages on the site:
<?php
header('Content-type: text/html; charset=utf-8');
header('Expires: ' . gmdate('D, d M Y 00:01:00', strtotime('first day of this month')) . ' GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s', time()-1) . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');
?>
EDIT: I see now that the issue is related to "bfcache" (back-forward cache in browser). Still investigating..
Google is not what it used to be when searching for issues like this..
Having https (ssl) enabled solved the problem with cached pages and back button