4

I've got a logout.php page which ends a user's session and works well and does the following:

session_start(); session_unset(); session_destroy();

I've just noticed when testing with Safari that when you logout you can click the back button to return to the previous page which requires authentication but are not prompted. You cannot navigate away from this page without entering the navigation but it should not be displaying the previous page in the first place.

So far in my testing this is only an issue with Safari on Mac OS X and there are a number of other reports about this but with no resolution that I could find:

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_23702691.html

I would love to be able to disable this behaviour with Safari's back button - surprised that this is happening in the first place.

Thanks, Steve

Steve Kemp
  • 333
  • 3
  • 8
  • 15
  • 3
    hmm I don't think that's the problem with your application, safari is just displaying cached data – phunehehe Jun 09 '10 at 13:58
  • On every other browser if I logout and click the Back button I get the login page to enter the username/password. On Safari I logout and click the Back button it "remembers" the previous page (sounds cache related) and doesn't authenticate even though the session is destroyed and it should prompt me to authenticate. If I navigate from that page only then does it prompt me to authenticate. – Steve Kemp Jun 09 '10 at 14:11
  • Because the browser caches the page.. – Jaquarh Sep 04 '17 at 17:07

1 Answers1

2

Ensure that any page you serve which requires authentication is being sent with suitable cache control headers. The page is being displayed from the browser cache, by providing cache control which explicitly forbids caching you should be able to stop this.

From http://php.net/manual/en/function.header.php

<?php
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
?>

Specifically for Safari, there's some discussion about caches and unload events, which you might be able to use to avoid caching. It seems that WebKit does have some complications with caching in general.

http://webkit.org/blog/427/webkit-page-cache-i-the-basics/

http://webkit.org/blog/516/webkit-page-cache-ii-the-unload-event/

ptomli
  • 11,730
  • 4
  • 40
  • 68
  • Hi thanks for your comment. I've previously tried this to no avail. I just added them again and it's still loading the page which requires authentication. Problem seems to be with webkit based browsers such as Safari for Mac and the iPhone as well. – Steve Kemp Jun 09 '10 at 14:13
  • 1
    I've added a couple of links. When you do the "login, logout, back" procedure, try using the Safari/Chrome developer tools to inspect the HTTP headers the browser has detected (Developer Tools -> Resources, click on the page entry on the left). – ptomli Jun 09 '10 at 14:42
  • Thanks very much I will look into this - further searching had led me to the same conclusion re the onUnload event etc. Thanks – Steve Kemp Jun 09 '10 at 16:20