1

I'm learning codeigniter. After a user logs in when he clicks on the log out button he goes back to the login page, but if he clicks on the browser back button he goes back to the connection page again. So the session is kept in the browser. How to redirect to the login page instead.

code

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class User extends CI_Controller{
public function __construct()
{
    parent::__construct();

    $this->load->model('user_model');

}
 public function index()
{

    if($this->session->userdata('logged_in'))
    {
        $session_data = $this->session->userdata('logged_in');
        $data['nom'] = $session_data['nom'];
       redirect('user/connection_Ok');
    }
    else
    {
        //If no session, redirect to login page
        $this->login;

    }

}
public function logout()
{
    $this->session->unset_userdata('logged_in');
   // session_destroy();
    $this->session->sess_destroy();
 redirect('login');

}
baptpro
  • 23
  • 5
  • thanks for your reply i would to return to the login page again if user clicks on the browser back button just after log out. It – baptpro May 18 '16 at 23:29
  • Please note that I turned my previous comments into an answer. – Sparky May 18 '16 at 23:31

2 Answers2

0

when he clicks on the log out button he goes back to the login page, but if he clicks on the browser back button he goes back to the connection page again. So the session is kept in the browser.

I think there's some confusion here... if he clicks "logout", your logout controller destroys the session, period. Using the browser's "back" button cannot reverse this action or restore his session.

In other words, just because the cached page "looks like" he's still logged in, does not mean he is still logged in. As soon as he tries to access restricted content, he will not be authorized since his previous session was already destroyed.

How to redirect to the login page instead.

You can't stop users from clicking the browser's "back" button, nor can you easily control what happens when they do. The browser simply loads the cached version of the previous page without reloading it... it's just how browsers work.

JavaScript will give you access to things like browser history, but there is no perfectly reliable method for intercepting the "back" button. No matter how comprehensive or complex the solution, the user can simply disable JavaScript and defeat it.

However, if you program a robust authorization system, the user will automatically be taken to a login page anytime they try to access restricted content without being logged in.

FYI - for CodeIgniter, I recommend you use a proven authorization system so you don't have to reinvent the wheel or worry about security. I like Ben Edmund's Ion Auth, but there are a few other solutions out there for CodeIgniter... just do your research.

Community
  • 1
  • 1
Sparky
  • 98,165
  • 25
  • 199
  • 285
  • it's not that i want to prevent user to click on browser back button but when he does he should redirect to the page he's just because he's just logged out – baptpro May 18 '16 at 23:32
  • @baptpro, as I also stated, *"nor can you easily control what happens when they do"* - that is because the back button loads a cached version of the page and does not reload anything. – Sparky May 18 '16 at 23:34
  • ok, as a learner of ci, i'm gonna learn more. An exemple of my case is facebook. After i log out on facebook, and i click on browser back button i'm redirected to the login page again, So my connection page can be reached only after i log in. I hope you see what i mean ! – baptpro May 18 '16 at 23:38
  • @baptpro, I did not say it was impossible... but have you looked at the source code of a Facebook page? There is a TON of JavaScript written by a large team of engineers for an audience of nearly a billion users. Not a good comparison. Although I linked to a JavaScript solution in my answer that will detect the back button, but to prevent people from bypassing it, you'll probably have to then design a website that will not operate when JavaScript is disabled. – Sparky May 18 '16 at 23:44
0
  1. To disable the browser's cache: add HTTP headers to the protected pages
  2. Always enable the secure http protocol (https) for the pages to protect; otherwise, cache may not be disabled on some browsers (Safari).

Headers are:

Cache-Control: no-cache, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0

PS: no any <meta cache-control> tags are needed in the HTML page; http headers take precedence.

caucus
  • 182
  • 1
  • 10