Page 1 of 1

Restrict User Navigation

Posted: Fri Jul 21, 2006 7:18 am
by man_from_ghana
Hi all,

I have a web application built with php and Oracle. My problem is that after a user successfully logs in, he/she is able to use the browser's 'back' button to go back to the login page and then use the 'forward' button to simply go back to the main page from where all activities can be done.

I want to prevent this such that if the user uses the 'back' button in this manner and attempts to use the 'forward' button to go to the main page, he/she should be re-directed to the login page to re-do the login process.

i thought of using javascript to remove browser's history for every page visited in the application so that at any given instant there's no history and hence no 'back' and 'forward' actions that can be performed, but apparently that cannot be done.

how can i achieve this server-side?

Thanks in advance.

Posted: Fri Jul 21, 2006 7:25 am
by Chris Corbyn
You don't want to disable the back button really. It's not fair on the user. What's the harm if they go back to the login page? Would that not be the expected behaviour. Session data can be used to track things like this, so if you logout and then go forward again, yes, the app will go back forward to that page, BUT the page should see that they've been logged out and refuse to function or redirect them elsewhere.

Oh, by the way, it is *sort of* possible to use JS by using the methods of the "history" object to force the browser one way or the other on page load but don't do it... it's nasty, and you can probably re-think your design ;)

Restrict User Navigation

Posted: Fri Jul 21, 2006 8:24 am
by man_from_ghana
Hi d11wtq,

No harm if they go back to login page but they shouldn't be able to use the forward button to simply go back to the main page. That's my goal.
In this case, they have not clicked on say a logout link or button to log out, they have simply gone backwards.
As to JS usage, in my post i already stated that it apparently can't be done so that's a no go for me. I wanted to know if it can be done by server-side coding and if so, any pointers would be welcome.

I am imagining a scenario where a user correctly logs in, does his or her work and doesnt close the browser but simply goes back to the login page thinking that's ok.
Another person(possibly unauthorized) walks in, sees the page and clicks the browser's forward button. BINGO, he/she is at the main page and can do all sorts of things.

Thanks for the advice, man.

Posted: Fri Jul 21, 2006 9:44 am
by Ollie Saunders
In the login page:

Code: Select all

if(empty($_POST)) {
    // no login submission
    session_destroy(); // you may need to destory the cookie manually also
} else {
    // normal login code
}
Now when they attempt to go forward again because they haven't made a submission on the login page their session has been destroyed and what ever checks against the session you have in the main page they were last on will come into effect.

But I have say I don't really see why this is necessary.

Posted: Fri Jul 21, 2006 12:23 pm
by kbrown3074
You could also push the user's id into a cookie and do a quick check at the beginning of each page. If the cookie isnt filled in then send them back to the login page.