How to Prevent User Go Back to Protected Page After Logout

How to prevent user go back to protected page after logout

call finish() method after startActivity like this:

Intent intent = new Intent(MainActivity.this, LoginActivity.class);
intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TOP);
startActivity(intent);
finish();

After Logout user can still access protected page

created a file named as session.php

   <?php
ob_start();
session_start();
// just call this file session.php and share it in all your file, which you want to protect with session,
?>

than we need to include the file in every page we want protected like this way

<?php
include 'session.php';
var_dump($_SESSION);

if(isset($_SESSION) ){
if(!$_SESSION['name']=='admin'){
header("Location:login.html?id=access_forbidde");
}
}else{
header("Location:viewall.php?id=access_forbidde");
}

in else you have to name each page separetly in that particular page.

& logout contains

<?php
include 'session.php';
$_SESSION=array();
setcookie(session_name(),"",time()-3600);
session_destroy();
header("Location: login.html?id=logout_successful");
?>

thanks to PHP_Noob for his help. & i made it after a week

Prevent user from seeing previously visited secured page after logout

You can and should not disable the browser back button or history. That's bad for user experience. There are JavaScript hacks, but they are not reliable and will also not work when the client has JS disabled.

Your concrete problem is that the requested page is been loaded from the browser cache instead of straight from the server. This is essentially harmless, but indeed confusing to the enduser, because s/he incorrectly thinks that it's really coming from the server.

You just need to instruct the browser to not cache all the restricted JSP pages (and thus not only the logout page/action itself!). This way the browser is forced to request the page from the server instead of from the cache and hence all login checks on the server will be executed. You can do this using a Filter which sets the necessary response headers in the doFilter() method:

@WebFilter
public class NoCacheFilter implements Filter {

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

chain.doFilter(req, res);
}

// ...
}

Map this Filter on an url-pattern of interest, for example *.jsp.

@WebFilter("*.jsp")

Or if you want to put this restriction on secured pages only, then you should specify an URL pattern which covers all those secured pages. For example, when they are all in the folder /app, then you need to specify the URL pattern of /app/*.

@WebFilter("/app/*")

Even more, you can do this job in the same Filter as where you're checking the presence of the logged-in user.

Don't forget to clear browser cache before testing! ;)

See also:

  • Authentication filter and servlet for login
  • How to control web page caching, across all browsers?

How to block / prevent user to go back to previous page after logout in ASP.NET

I think you have to use javascript . If you are using master page , then write this code in head section.

<script type="text/javascript">
window.history.forward(-1);
</script>

And in Master page (Page_Load) mode write this code.

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
Response.Cache.SetNoStore();

avoid go back after logout

Even though the user can press the back button and see the previous page which was protected by login, doesn't mean the user is logged in again. They can't do anything - it is just a static copy of a page they previously viewed.

It is normal behaviour that the user can press the back button and see previous pages, and sites should not attempt to break this. It is a browser feature.

In most circumstances, it is safe to allow the back button to operate normally even while a user is logged in. Breaking the back button while a user is logged in would have bad usability consequences for the user. In order to prevent a user returning to a page after logging out, you'd have to make sure all pages they view while logged in cannot be returned to with the back button, which breaks the back button for their entire session.

There are methods you can use to try and disable the back button for logged in sessions, such as by declaring a page to be uncacheable (and unstorable). These may or may not offer varying degrees of protection against back button use. There are plenty of other questions on stackoverflow about disabling the back button - if you want to ignore advice and try to prevent it, please check it out.



Related Topics



Leave a reply



Submit