Login/Register
back button takes the user back to protected page after logout -zend framework
Asked Answered
Solved phpzend-frameworkzend-auth
H

4

0

I have created a pages login , logout to access a control panel scenario goes like this: user logs in and accesss the cpanel page and them logs out Problem : when login is done if user click on browser back button user goes back to login page even though authentication is done and sessions are set, at the same time if user logout , and click back button it will return back to control panel page (if user refresh the page then everything seems to be fine and usr will be redirected to login and back button won't redirect her to cpanel ) .

The problem is browser cache , I tried with both php header and html meta to prevent the page from caching but I could not succeed . Any solution to this?

My logout action code is as follow 

public function logoutAction()
      {   
         $auth=Zend_Auth::getInstance();
      //If logged in then move to index
         if(!$auth->hasIdentity()){
           $this->_redirect('admin/account/redirect');

      }
         $auth->clearIdentity();
      $this->_redirect('admin/account/redirect');

   }
Houghton answered 9/3, 2011 at 19:29 Comment(1)
Looks to me like you are right on by focusing on browser caching. As you note, if he reloads one of those pages, your auth-check kicks in and redirects him to login. I'd focus attention on fixing the headers no-cache you are sending for pages on which you do not want caching.Ashtonashtonunderlyne
S
1

You could always run a piece of javascript onLoad that requests another PHP page using AJAX and then if the user is logged in then redirect them back to the CPanel or Login page, wherever they are supposed to be.

JQuery post would handle this quite nicely. http://api.jquery.com/jQuery.post/

Sicilia answered 9/3, 2011 at 19:39 Comment(3)
I am going to try this . Thank youHoughton
Niko,I tried this and the problem is that since the page is already loaded and cached by browser, it is not going to load the page again,So onLoad will not do the trick!Houghton
I haven't tried with Zend but I work with PHP and javascript. There should be no reason you can't use javascript to request a session variable from another PHP script and if you get a certain variable then redirect browser to another page. Whether the page is cached or not should not have an effect.Sicilia
T
1

Browsers can behave differently, so what browser are you using?

Also, why bother checking if the user has an identity when logging out? Just clear the identity regardless of whether the user is logged in or not - less code, the better...

My logout code looks like:

    $auth = Zend_Auth::getInstance();
    $auth->clearIdentity();
    $this->_redirect('/identity/login');
Tiffany answered 10/3, 2011 at 5:6 Comment(2)
Thank you ,I am using safari. I have not checked it on any browser but it seems my page is being cached by browser and it does not execute the php code to check the auth instance and redirect the user to login page.Houghton
Sorry, can't recreate the problem with Safari on my site using Zend_Auth, so not sure what the issue is. Using JavaScript may be your only option, assuming all your PHP code is correct.Tiffany
S
0

This is what I have in my logout action

Zend_Session::destroy();
$this->_helper->redirector('index', 'index');

And since the Zend_Auth identity is saved in a session, it gets destroyed as well. If I do a back (from the navigator) the absence of identiy is catched and I am redirected to the login screen

Serum answered 9/3, 2011 at 20:40 Comment(1)
Finally I found what is the problem , I tried the application on Chrome and it was redirecting me to login if I try to click on back button now , but in Safari it was not happening because cache as guessed it before , then I disabled caching from Develop > Disable Caches and now it is working as it should . I wonder if there is any good solution to this !Houghton
P
0

The method I would use is force the login page to take place in a new window instance. When the user logs out, close that window. There will be nothing to go back to.

The alternative is to use sessions and do a POST every time the user moves to a new page. Hitting the back button here would require the content to be POSTed again, but the session would be closed and the request would fail.

Punkah answered 10/3, 2011 at 5:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.