Stopping the back button from exposing secure pages?

Question

I'm encountering a (apparently common) problem with browser caches, and my secure pages being accessible via the back button (after user logout.)

Here is my logout.php

<?php
    // 1. Find the session 
    session_start();

    // 2. Unset all the session variables
    $_SESSION = array();

    // 3. Destroy the session cookie
    if(isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time()-42000, '/');
    }

    // 4. Destroy the session
    session_destroy();

    redirect_to('index.php?logout=1');
?>

This successfully logs out users on IE7, IE8, Chrome and Firefox--but in Safari, I'm able to press the back button (immediately after logging out) and still see the secure content. If I refresh the secure page, it boots me to the login screen (as it should.)

I've tried using:

<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">

...but it has no effect. Can anyone offer any advice? I've found this article on browser caching, but I have yet to find an answer within it... although I did find:

<?php
 Header("Cache-Control: must-revalidate");

 $offset = 60 * 60 * 24 * 3;
 $ExpStr = "Expires: " . gmdate("D, d M Y H:i:s", time() + $offset) . " GMT";
 Header($ExpStr);
?>

...which also does not solve the "problem." Hmm.

Answer 1

If you can use HTTPS, this combined with a Cache-control: no-cache header will disable the "page cache" (the WebKit term for in-memory/back-forward cache). The downside of this is that it will be disabled for all secure page views, not just after log out. (Source; note they are working on allowing exceptions, it's worth keeping an eye on this.)

If you can depend on JavaScript, attaching an unload event handler will prevent the "page cache". This has the benefit of also allowing you to only break the cache when a "log out" button or link is clicked, by only then attaching the unload event handler. (Source)

Neither of these solutions are ideal, but one of them might be a worthwhile compromise.