I've created user authentication using an awesome codeigniter authentication library ion auth in my codeigniter application, the authentication works fine but when i logout and click back button of the browser i can go through all the pages that i've visited in my application which raise concern aver user privacy but if i try to refresh the page it recognises that I'm logged out. How can i force the browser to reload when a user click back button of the browser? Any suggestion on how to solve this problem will be appreciated..
EDIT
Controller logout function
function logout() {
//log the user out
$logout = $this->ion_auth->logout();
//redirect them back to the page they came from
redirect('auth', 'refresh');
}
This is logout function from ion auth
public function logout() {
$this->ci->ion_auth_model->trigger_events('logout');
$identity = $this->ci->config->item('identity', 'ion_auth');
$this->ci->session->unset_userdata($identity);
$this->ci->session->unset_userdata('group');
$this->ci->session->unset_userdata('id');
$this->ci->session->unset_userdata('user_id');
//delete the remember me cookies if they exist
if (get_cookie('identity')) {
delete_cookie('identity');
}
if (get_cookie('remember_code')) {
delete_cookie('remember_code');
}
$this->ci->session->sess_destroy();
$this->set_message('logout_successful');
return TRUE;
}
I'm using codeigniter 2.0.3
Thanx in advance..
Chances are they are in fact logged out (as you say, refreshing causes them to appear logged out). It is likely that the browser has cached the HTML which is displayed indicating they're logged in but doesn't reload it after they're logged out.
You can set the pages which have login related information on to no cache by setting the Cache-Control header.
This can be achieved with HTML
<META Http-Equiv="Cache-Control" Content="no-cache">
<META Http-Equiv="Pragma" Content="no-cache">
<META Http-Equiv="Expires" Content="0">
Or PHP
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
You can also implement the hacky and inadvisable clearing the user's history for that particular window using the following code. This would need to be sent to the browser as part of the logout functionality and would not work if the user has javascript disabled.
<script language="javascript">
var Backlen=history.length;
history.go(-Backlen);
window.location.href=page url
</SCRIPT>
I highly discourage disabling caching, as this will reduce the speed of your app. I had the same problem because of silly coding, what I did was in my controllers, I put the following code at the top of every function which interacted with the database, used by the users in logged in states:
//Do not let anyone interact with database from cached pages!
if (!$this->tank_auth->is_logged_in()) {
redirect('/auth/login/');
}
So that redirection to login page happens, which means a refresh as well, if a logged out user's browser was "backed" to a cached logged in state and tried to fiddle with the database.
yes ion auth has this problem i was facing the same problem in my application. anothr problem was if session expire on any link it takes you to login page. but when you logged in and you try to access last link where session expired it always take you back to login page. to access the page you need to clear your browser cache. here is solution i found on github comments on ion auth
github ion-auth comment link
function logout() {
//log the user out
$logout = $this->ion_auth->logout();
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Wed, 4 Jul 2012 05:00:00 GMT"); // Date in the past
//redirect them back to the page they came from
redirect('auth', 'refresh');
}
