Prevent Back Button After Logout

Prevent back button after logout

Implement this in PHP and not javascript.

At the top of each page, check to see if the user is logged in. If not, they should be redirected to a login page:

<?php 
      if(!isset($_SESSION['logged_in'])) : 
      header("Location: login.php");  
?>

As you mentioned, on logout, simply unset the logged_in session variable, and destroy the session:

<?php
      unset($_SESSION['logged_in']);  
      session_destroy();  
?>

If the user clicks back now, no logged_in session variable will be available, and the page will not load.

Disable browser 'Back' button after logout?

Finally found the solution:

from django.views.decorators.cache import cache_control

@cache_control(no_cache=True, must_revalidate=True)
def func()
  #some code
  return

This will force the browser to make request to server.

How to prevent browser back button after logout Aspnet Core

You need to set the Cache-Control header. For a single page or controller, you can set the header like this:

[ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)]

If that doesn't work, make sure the header is not being overwritten. You can find a detailed explanation in my blog post: How To Prevent the Back Button after Logout in ASP.NET Core MVC.

How Disable Browser Back Button only after Logout in mvc3.net

You could clear the browser history when the user logs out:

var url = window.location.href;
window.history.go(-window.history.length);
window.location.href = url;

However this would not be particularly robust - it relies on javascript, it would not work across multiple tabs and may only serve to annoy the user. IMO the best bet is to set appropriate caching headers such that the browser will not cache any of your 'logged in' pages via a NoCacheAttribute applied appropriately:

public class NoCacheAttribute : ActionFilterAttribute
{  
  public override void OnResultExecuting(ResultExecutingContext filterContext)
  {
      filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
      filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false);
      filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
      filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
      filterContext.HttpContext.Response.Cache.SetNoStore();

      base.OnResultExecuting(filterContext);
  }
}

how to disable the back button after logout in angular 7

You can add a guard to watch and decide if user can access the page or not rather than disabling the browser's events. CanActivate is the saviour

CanActivate (Interface)

Interface that a class can implement to be a guard deciding if a route
can be activated. If all guards return true, navigation will continue.
If any guard returns false, navigation will be cancelled. From official documentation of Angular

Here I am adding some code that I am currently using. Hope it helps to understand how to implement one.

import { CanActivate, ActivatedRouteSnapshot, Router, RouterStateSnapshot } from '@angular/router';

import { IdentityService } from './identity.service';

@Injectable()
export class LoginGuard implements CanActivate {

    constructor(private identityService: IdentityService, private router: Router) { }

    canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): boolean {
        if (this.identityService.isLoggedIn()) { // determine if the uder is logged in from this method.
            return true;
        }
        this.router.navigate(['/login']);
        return false;
    }
}

add this LoginGuard class into provider in you app.module.ts

providers: [{ provide: LoginGuard, useClass: LoginGuard }]

then add canActive in the route to guard it.

{
    path: 'dashboard',
    component: DashboadComponent,
    canActivate: [LoginGuard]
}

Why after logout clicking back button on the page displays previous page content?

Turns out that your browser is caching pages before you press the back button. The browser caching mechanism is designed so to minimize the server access time by getting the page from the local cache if the page have the same URL. It significantly reduces the server load when browsing the server by thousands of clients and seems to be very helpful. But in some cases, especially in yours the content should be updated. The back button is designed so it caches every page that a user is browsing and retrieve them from the local cache when pressed the back button. So, the solution is to tell the browser to not allow caching when returning a response with a special headers that control the browser caching. In the servlet environment you might use a filter to turn off caching but in Struts2 you could use a custom interceptor. For example

public class CacheInterceptor implements Interceptor {

private static final long serialVersionUID = 1L;

@Override
public void destroy() {}

@Override
public void init() {}

@Override
public String intercept(ActionInvocation invoication) throws Exception {
    HttpServletRessponse response = ServletActionContext.getResponse();
    response.setHeader("Cache-Control", "no-cache");
    response.setHeader("Pragma", "no-cache");
    response.setHeader("Expires", "-1");
    return invoication.invoke();
}

}

Now you could configure this interceptor to use by every action

<package name="default" extends="struts-default" abstract="true">

    <interceptors>
      <interceptor name="cache" class="org.yourcompany.struts.interceptor.CacheInterceptor "/>
      <interceptor-stack name="cacheStack">
        <interceptor-ref name="cache"/>
        <interceptor-ref name="defaultStack"/>
      </interceptor-stack>
    </interceptors>
    <default-interceptor-ref name="cacheStack"/>

</package>

When your packages extend default package they inherit the interceptor and the interceptor stack, you can also override this configuration by the action configuration.

---

Related Topics