php - Stopping the back button from exposing secure pages? -

-

i'm encountering (apparently common) problem browser caches, , secure pages being accessible via button (after user logout.)

here logout.php

<?php     // 1. find session      session_start();      // 2. unset session variables     $_session = array();      // 3. destroy session cookie     if(isset($_cookie[session_name()])) {         setcookie(session_name(), '', time()-42000, '/');     }      // 4. destroy session     session_destroy();      redirect_to('index.php?logout=1'); ?>

this logs out users on ie7, ie8, chrome , firefox--but in safari, i'm able press button (immediately after logging out) , still see secure content. if refresh secure page, boots me login screen (as should.)

you can try @ http://labs.inversepenguin.com (user: stack & pass: overflow.)

i've tried using:

<meta http-equiv="pragma" content="no-cache"> <meta http-equiv="expires" content="-1">

...but has no effect. can offer advice? i've found this article on browser caching, have yet find answer within it... although did find:

<?php  header("cache-control: must-revalidate");   $offset = 60 * 60 * 24 * 3;  $expstr = "expires: " . gmdate("d, d m y h:i:s", time() + $offset) . " gmt";  header($expstr); ?>

...which not solve "problem." hmm.

if can use https, combined cache-control: no-cache header disable "page cache" (the webkit term in-memory/back-forward cache). downside of disabled secure page views, not after log out. (source; note working on allowing exceptions, it's worth keeping eye on this.)

if can depend on javascript, attaching unload event handler prevent "page cache". has benefit of allowing break cache when "log out" button or link clicked, attaching unload event handler. (source)

neither of these solutions ideal, 1 of them might worthwhile compromise.


Comments

Post a Comment

Popular posts from this blog

javascript - Enclosure Memory Copies -

-
function myclass() { //lots , lots of vars , code here. this.bar = function() { //do numerous enclosed myclass vars } this.foo = function() { alert('hello'); //don't enclosed variables. } } each instance of myclass gets own copy of bar , foo, why prototyped methods use less memory. however, know more memory use of inner methods. it seems obvious me (1) below must true. agree? not distinct myclass instances have own distinct copies of bar, must have own distinct copies of myclass enclosure. (or else how bar method keep myclass variables straight on per instance basis?) now (2) question i'm after. since inner foo method doesn't use in myclass enclosure natural qustion is: javascript smart enough not keep myclass enclosure in memory use of foo? this depend entirely on implementation not language. naive implementations keep far more around others. answer true e.g. v8 (chrome's js engine) may not true spider...
Read more

php - Replacing tags in braces, even nested tags, with regex -

-
example preg_replace('/\{[a-za-z.,\(\)0-9]+\}/', 'replaced', 'lorem ipsum dolor sit {tag1({tag2()})}, consectetur adipiscing elit.'); the result: lorem ipsum dolor sit {tag1(replaced)}, consectetur adipiscing elit. question as can see "tag2" has been replaced, want replace "tag1" know how can this? (in cases might this: {tag1({tag2({tag3()})})}) , on.) btw using preg_replace_callback, easier show preg_replace here site can test code: http://www.spaweditor.com/scripts/regex/index.php you need add curly braces character set. here's pattern used: /\{[a-za-z.,\(\)\{\}0-9]+\}/ and here result: "lorem ipsum dolor sit replaced, consectetur adipiscing elit."
Read more