adjust logout function to handle safari back button issue

Question

I have the following logout() function that works on most browsers but not safari. The problem in safari is after logout if the user hits the back button they get the previous page from cache instead of the login screen. Is there a way to adjust the logout function to handle this?

function logout()
{   
    // unset any session variables
    $_SESSION = [];

    // expire cookie
    if (!empty($_COOKIE[session_name()]))
    {
       // setcookie(session_name(), "", time() - 42000);
       $params = session_get_cookie_params();            
       setcookie(session_name(), '', time() - 42000,
                 $params["path"], $params["domain"],
                 $params["secure"], $params["httponly"]);
    }

    // destroy session
    session_destroy();        
}

Answer 1

It seems to me it is a browser issue more than a server issue.

1. Have you tried configuring caching headers in order to disallow caching of logged pages ?

2. As an other solution, I found a SO post in relation: Preventing cache on back-button in Safari 5 .

You could try this solution which is basically putting this javascript in your logged pages:

window.onpageshow = function(event) {
    if (event.persisted) {
        window.location.reload() ;
    }
};

To only reload the page after a logout you could check there is no cookie, such that the back button still work when logged in for instance. Just change the "yourCookieName" string to your session cookie name.

function getCookie(cname) {
    var name = cname + "=";
    var ca = document.cookie.split(';');
    for(var i=0; i<ca.length; i++) {
        var c = ca[i];
        while (c.charAt(0)==' ') c = c.substring(1);
        if (c.indexOf(name) == 0) return c.substring(name.length, c.length);
    }
    return null;
}

function hasCookie(cname) {
     return getCookie(cname) !== null;
}

window.onpageshow = function(event) {
    if (event.persisted && !hasCookie("yourCookieName")) {
        window.location.reload(); // or redirect to login page
    }
};

Note: I think the cache will still exists in Safari with solution 2. So, this is not really a solution handling correctly security in my opinion.

Answer 2

Use redirect function in your code like

function logout()
{   
    // unset any session variables
    $_SESSION = [];


    // expire cookie
    if (!empty($_COOKIE[session_name()]))
    {
       // setcookie(session_name(), "", time() - 42000);
       $params = session_get_cookie_params();            
       setcookie(session_name(), '', time() - 42000,
                 $params["path"], $params["domain"],
                 $params["secure"], $params["httponly"]);
    }

// to redirect the user to login page

$return_url = "login.php"; //I'm using login.php you can change it according to your page

// destroy session
session_unset();
session_destroy();

header('Location:'.$return_url); //to redirect to user
}

And also use to verify the user session is exist or not by

session_start();
if($_SESSION[name]=="") {
header("location:index.php");
}

Note: Need to be in all page to authenticate the user to access the page if only having the session