Hi,
I have developed a basic membership system, using sessions.
I want to make it so that after the user logs out, if s/he presses the back button, it does NOT take him/her back to the previous page (i.e. a page that requires a user to be logged in to view).
Rather, I want it to be redirected to the login page again, with some sort of "Your login session has expired" error.
I've seen a lot of membership systems (emails, forums, etc.) that have this, but I am lost at how to do this myself...
Does anyone have any idea?
THANKS in advance!!!
logout sessions
Moderator: General Moderators
Well it will partially depend on the user's browsers. Most browsers follow the spec's suggestions that back/forward buttons load the cached version of the page, even if no-cache were specified. For those browsers that resubmit on back/forward just make sure that part of your standard header/includes tests for a valid session and in the invalid case redirects.
-
rob.weaver
- Forum Newbie
- Posts: 8
- Joined: Tue Apr 22, 2003 11:18 am
- Location: Houston, TX USA
a possible solution
ok.. from what I am understanding ...
You want each page to be validated and if the person logs off, they get a message that their session has expired and they are then re-directed to the login screen. Is this right?
If so,
I would suggest creating a verify script to include on every page that you want authenticated. Within this verify script, you should put the forwarding script and link if it doesn't forward them..
so you would have
(example of hotmail)
verify script
header
user email
footer
Here is an example verify script...with redirection built in... make sense?
<?Session_start();
if (!isset($_SESSION['sesid'])){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "<br>Session Not Set<br>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;
}elseif ($_SESSION['sesid'] <> Session_ID() or !isset($_GET['SID']) or $_GET['SID'] <> Session_ID() or $_SESSION['login'] <> "success"){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "Please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;
}else{
//place holder file
}?>
You want each page to be validated and if the person logs off, they get a message that their session has expired and they are then re-directed to the login screen. Is this right?
If so,
I would suggest creating a verify script to include on every page that you want authenticated. Within this verify script, you should put the forwarding script and link if it doesn't forward them..
so you would have
(example of hotmail)
verify script
header
user email
footer
Here is an example verify script...with redirection built in... make sense?
<?Session_start();
if (!isset($_SESSION['sesid'])){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "<br>Session Not Set<br>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;
}elseif ($_SESSION['sesid'] <> Session_ID() or !isset($_GET['SID']) or $_GET['SID'] <> Session_ID() or $_SESSION['login'] <> "success"){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "Please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;
}else{
//place holder file
}?>
hi all,
thanks to my friend DGW for asking my question.
anyhow, thanks to rob.weaver for typing out all that code. i've read it but i thiink its not quite what i'm looking for. you see, the problem here is that once the php script is run for the first time, an html page is generated and sent to the client. this html page is cached.
so if a user presses the back button to go to that page, the page is nOt a new page generated by the script, rather, it is just the previous html that was cached. the critical point then, is that there is nO access to check whether the session still exists~
i've been looking up headers, cache-control, and expires, but it doesn't seem to work!! did i do anything wrong??? i'm using IE6
(a lot of the below is straight from the php.net documentation for headers() function)
firstpage.php:
by "doesn't seem to work" i mean, i open firstpage.php, then i click on the <a> tag 'link', then i press back button, what i WANT to happen is i get some sort of http error; what DOES happen is, i get back to the html generated by firstpage.php the first time
?>
thanks to my friend DGW for asking my question.
anyhow, thanks to rob.weaver for typing out all that code. i've read it but i thiink its not quite what i'm looking for. you see, the problem here is that once the php script is run for the first time, an html page is generated and sent to the client. this html page is cached.
so if a user presses the back button to go to that page, the page is nOt a new page generated by the script, rather, it is just the previous html that was cached. the critical point then, is that there is nO access to check whether the session still exists~
i've been looking up headers, cache-control, and expires, but it doesn't seem to work!! did i do anything wrong??? i'm using IE6
(a lot of the below is straight from the php.net documentation for headers() function)
firstpage.php:
Code: Select all
<?php
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0", false);
header("Pragma: no-cache");
echo "Hello<br>";
echo "<a href='anotherpage.html'>link</a>";
?>?>
Yes, as I said. That is the "correct" (as defined by the http spec) behavoir, to the best of my knoweldge. Some old browsers (notably Netscape 4.x) resubmitted forw/back buttons in violation of the spec so some people grew to expect it. Because the spec specifiied the bahvoir as something that overrides headers/cache control it's hard to avoid.
However I developed a "back button detector" that seems work pretty well on most browsers. Why it works, I'm not sure... it shouldn't... here'es the code: (OLD code, designed for php 4.0.4pl?, uses the old $HTTP_VARS)
It is called like
with the meaning that old page transitions from index.php or otherpage (and only if foo is given a value) will be allowed. Back navigation tend to also not set HTTP_REFERER so it is automatically blocked.
Note most user's absolutely HATE this.
However I developed a "back button detector" that seems work pretty well on most browsers. Why it works, I'm not sure... it shouldn't... here'es the code: (OLD code, designed for php 4.0.4pl?, uses the old $HTTP_VARS)
Code: Select all
function localRedirect($url)
{
GLOBAL $HTTP_COOKIE_VARS;
if (isset($HTTP_COOKIE_VARS["PHPSESSID"]))
header($url);
else
header($url . "?" .SID);
}
function restrictNavigation($referers)
{
GLOBAL $HTTP_REFERER, $HTTP_SESSION_VARS, $HTTP_POST_VARS;
GLOBAL $baseURL;
$url = $HTTP_REFERER;
$protocol = strpos($url,'://');
if ($protocol)
{
$url = substr($url,$protocol+3,strlen($url));
$url = "http://".$url;
}
$hash = strpos($url,'#');
if ($hash)
$url = substr($url,0,$hash);
$ques = strpos($url,'?');
if ($ques)
$url = substr($url,0,$ques);
reset($referers);
while ($aLegalPage = each($referers))
{
$page = $aLegalPage["value"]["PAGE"];
$requiredVars = $aLegalPage["value"]["VARS"];
if ($page==$url)
{
$numVars = count($requiredVars);
for ($i=0;$i<$numVars;$i++)
{
$varName = $requiredVars[$i];
$tempPost = $HTTP_POST_VARS["$varName"];
$tempSess = $HTTP_SESSION_VARS["$varName"];
if ($tempPost=="" && $tempSess=="")
{
localRedirect("Location: $baseURL/back.php");
exit;
}
}
return true;
}
}
localRedirect("Location: $baseURL/back.php");
exit;
}Code: Select all
restrictNavigation(array(array("PAGE"=>"$baseURL/index.php",
"VARS"=>array()),
array("PAGE"=>"$baseURL/otherPage.php",
"VARS"=>array("foo")));Note most user's absolutely HATE this.