可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

i have this file

secure.php

session_start();
if(empty($_SESSION['u_name'])) {
    header("Location:emprego.php");
}

if(isset($_GET['logout'])) {
    session_destroy();
    header("Location:emprego.php");
}

$name = $_SESSION['u_name'];

?>

<li><?php echo "<a href='emprego.php?logout' id='D'>Logout</a>";?></li>

basically, if i do logout, i will be redirected to emprego.php. But if i click in back page button (arrow in browser), i can view the same page (secure.php).

my question is, why?

thanks

回答1:

http://nl2.php.net/manual/en/function.session-destroy.php

Take a look at example 1 here. It clearly states that you have to clear $_SESSION as well.

if(isset($_GET['logout'])) {
    unset($_SESSION['u_name']); //makes it non-existent (it does unset) that variable
    session_destroy();
    header("Location:emprego.php");
}

回答2:

Your browser keeps a copy of the page in cache. When you click the back button, you are seeing the local cached copy, not the current page from the server. If your security is set up properly, you will not be able to do anything meaningful from that cached page.

It is for this reason that secure websites (bank sites, for example) tell you to log off and clear your cache (or close the browser) after you log out.

回答3:

If you're using session cookies, also try expiring the session cookie explicitly, like this:

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

Also, going back in the browser only loads a cached copy of the page. If you tried interacting with the cached page to fetch a new page from the server, you shouldn't be able to proceed.

回答4:

I recently found header_remove(); http://php.net/manual/en/function.header-remove.php

    Caution: This function will remove all headers set by PHP, including cookies, session and the X-Powered-By headers.

Not sure whether this is the appropriate way to do it, but it's pretty effective for log out functionality.

回答5:

All the other solutions didn't seem to work for me. However, this workaround did the trick. Basically, the code below keeps calling the logout until the logout finally succeeds:

if (isset($_GET["logout"])){
    if (isset($_SESSION["username"])) {
        unset($_SESSION["username"]);
        session_destroy();
        header("Location:/?logout=true");
        exit;
    }
    header("Location:/");
    exit;
}