Prevent displaying of previous pages after logout

Question

i'm working at PHP application but i have a trouble, in fact when a user logged out and press after logging out the back button of the browser he can see the previous page as if the session has not been destroyed :(( i have tried all that i find here and on the web but it doesn't work :'(

Can I disable the back button?

Answer 1

http://blog.priyakant.com/2014/09/23/browser-back-button-prevent/

Summary:

Browser back button – Prevent displaying of previous pages after logout – Cookie based approach Posted on September 23, 2014 by Priyakant Patel — Leave a comment Prevent displaying of previous pages after logout

Client browser application caches page for performance reason. In this case when user clicks on back (browser back button) it shows previous page from cache.

Case 1 : User is still logged in.

it is OK to display content of previous page.

Case 2 : User is logged out.

Potentially next user can click on browser back button and can see content(s) of previous page(s).

This could be big problem in many applications. In financial application next user potential can see financial data. Or Medical / Patient related application this could be HIPAA violation and company can face big penalties.

So let’s get back to the point, How can solve this problem?

I am proposing HTTP Cookie based approach.

Steps:

Create HTTP Cookie from server side with sliding expiration. Which can be accessed from Client JavaScript (Note: Browser clears this Cookie upon expiration).
Clear this cookie upon logout
If you don’t find this Cookie, reload the page. In this case server re-authenticates page and if necessary it will redirect to the login page
That’s it, Done!

Here is my implementation using ASP.NET. Implementation will varies based on server technology but idea stays same.

1. (Server Side). Create HTTP Cookie from server side with sliding expiration

   Response.SetCookie(new HttpCookie(“TimeoutCookieName”, "1") { Expires = DateTime.UtcNow.AddMinutes(10) });
   //NOTE 10 == Session Timeout. This will be same as your application login session timeout.
   

2. (Server Side). Clear this cookie upon logout

   Response.SetCookie(new HttpCookie(“TimeoutCookieName”, "1") { Expires = DateTime.UtcNow});
   

3. (Client Side) : (Following script must exists immediately after BODY tag)

   window.preventBackButton = function () {
       try {
           if (document && (!document.cookie || document.cookie.indexOf('_tc=1') < 0)) {
               window.document.body.style.display = 'none'; window.location = window.location;
           }
       } catch (e) { }
   };
   window.preventBackButton(); //Call immediately after body tag
   

Please find ASP.NET implementation as follow:

////C# Helper class - Start
using System;
using System.Web;

namespace MyHelpers {
    public static class MyHtmlHelper {
        public const string TimeoutCookieName = "_tc";

        public static HtmlString PreventBackButtonScript(HttpResponseBase response) {
            response.SetCookie(new HttpCookie(TimeoutCookieName, "1") { Expires = DateTime.UtcNow.AddMinutes(10) });
            var clientScript = "window.-reventBackButton = function() {
                try {
                    if(document && (!document.cookie || document.cookie.indexOf('" + TimeoutCookieName + "=1') < 0)) {
                        window.document.body.style.display='none'; window.location = window.location;
                    }
                } catch(e) {}
            };
            window.preventBackButton();";

            return new HtmlString(clientScript);
        }

        public static void SafeUnSetTimeoutCookie(this HttpResponseBase response) {
            response.SetCookie(new HttpCookie(TimeoutCookieName, "0") { Expires = DateTime.UtcNow.AddYears(-5) });
        }
    }
}
////C# Helper class - End
//Shared\_Layout.cshtml
//Make sure not to include after logout OR login page
<html>
<body>
@MyHelpers.MyHtmlHelper.PreventBackButtonScript(Response)
.
.
<⁄body>
<⁄html>

Answer 2

You cannot disable the back button. If you can see the previously logged out user's page then your session checking script fails somewhere. Use a process script when you submit the logout form then redirect the currently logged out user to the main page (if applicable).

Answer 3

You can't. Browsers cache pages so they don't have to request it from a web server every time they load a page. When you hit the back button it loads the last page without asking the server.

Answer 4

It's probably more to do with the caching headers you're sending back on each page request. You have content that is only valid for a short time so you need to make sure you send headers back when you generate the page telling the browser not to cache it locally.

Example of disabling the page caching here http://www.w3schools.com/php/func_http_header.asp:

// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");

Answer 5

Are you clearing out the cache/session of the user? Even if they hit back I don't think it should keep them logged in if you clear their session on log out.

Answer 6

Edit: Prior to editing - by someone other than OP - this question asked if it is possible to disable the browser's back button. My original answer to that question is below. Also, I feel I need to clarify - the below approaches for essentially "breaking" the back button are not approaches I recommend or like. You should design your application to react sensibly when using basic browser features like the back button rather than try to prevent their use.

You cannot disable the back button on a user's browser. It's a fundamental feature of browsers which can't be overridden.

You can make it so that your application breaks (displays an error message, requiring the user to start over or re-submit a request) if the user goes back. It's a bad idea to do this, because it is really an admission that you didn't take the back button into account when you designed the application. Every application, even order forms, shopping carts etc, if designed correctly should be able to use the back button.

One approach I have seen for breaking on back button use is to pass a token on every URL within the application, and within every form. The token is regenerated on every page, and once the user loads a new page any tokens from previous pages are invalidated.

When the user loads a page, the page will only show if the correct token (which was given to all links/forms on the previous page) was passed to it.

The online banking application my bank provides is like this. If you use the back button at all, no more links will work and no more page reloads can be made - instead you see a notice telling you that you cannot go back, and you have to start over.

That said, I should remind you that making it so your application breaks when the user goes back is a bad idea and shows a poor application design.