Restrict User Navigation

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
man_from_ghana
Forum Newbie
Posts: 2
Joined: Fri Jul 21, 2006 6:37 am
Location: Ghana

Restrict User Navigation

Post by man_from_ghana »

Hi all,

I have a web application built with php and Oracle. My problem is that after a user successfully logs in, he/she is able to use the browser's 'back' button to go back to the login page and then use the 'forward' button to simply go back to the main page from where all activities can be done.

I want to prevent this such that if the user uses the 'back' button in this manner and attempts to use the 'forward' button to go to the main page, he/she should be re-directed to the login page to re-do the login process.

i thought of using javascript to remove browser's history for every page visited in the application so that at any given instant there's no history and hence no 'back' and 'forward' actions that can be performed, but apparently that cannot be done.

how can i achieve this server-side?

Thanks in advance.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

You don't want to disable the back button really. It's not fair on the user. What's the harm if they go back to the login page? Would that not be the expected behaviour. Session data can be used to track things like this, so if you logout and then go forward again, yes, the app will go back forward to that page, BUT the page should see that they've been logged out and refuse to function or redirect them elsewhere.

Oh, by the way, it is *sort of* possible to use JS by using the methods of the "history" object to force the browser one way or the other on page load but don't do it... it's nasty, and you can probably re-think your design ;)
man_from_ghana
Forum Newbie
Posts: 2
Joined: Fri Jul 21, 2006 6:37 am
Location: Ghana

Restrict User Navigation

Post by man_from_ghana »

Hi d11wtq,

No harm if they go back to login page but they shouldn't be able to use the forward button to simply go back to the main page. That's my goal.
In this case, they have not clicked on say a logout link or button to log out, they have simply gone backwards.
As to JS usage, in my post i already stated that it apparently can't be done so that's a no go for me. I wanted to know if it can be done by server-side coding and if so, any pointers would be welcome.

I am imagining a scenario where a user correctly logs in, does his or her work and doesnt close the browser but simply goes back to the login page thinking that's ok.
Another person(possibly unauthorized) walks in, sees the page and clicks the browser's forward button. BINGO, he/she is at the main page and can do all sorts of things.

Thanks for the advice, man.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

In the login page:

Code: Select all

if(empty($_POST)) {
    // no login submission
    session_destroy(); // you may need to destory the cookie manually also
} else {
    // normal login code
}
Now when they attempt to go forward again because they haven't made a submission on the login page their session has been destroyed and what ever checks against the session you have in the main page they were last on will come into effect.

But I have say I don't really see why this is necessary.
User avatar
kbrown3074
Forum Contributor
Posts: 119
Joined: Thu Jul 20, 2006 1:36 pm

Post by kbrown3074 »

You could also push the user's id into a cookie and do a quick check at the beginning of each page. If the cookie isnt filled in then send them back to the login page.
Post Reply