How to disable browser from regenerating my form data upon pressing back button

StackOverflow https://stackoverflow.com/questions/19448939

Question

I have a web application that allows users to login. When the user clicks the logout button, I unset all the POST variables and clear all the cookies which contains session. However, when I press the back button, all the POST variables are still there and the last logged-in page still comes and a new session is generated in user-cookies.

I have checked all the headers such as no-cache and must-revalidate and still the same happens.

The fact that POST data is still there, is an indication that the page is being loaded from "Browser History".

I know that there is a perfect solution for my question because many web-applications do so. I would like to know how major corporations do it. There has to be a standard way which will work like a charm.

PS: Using Javascript is not an option. Maybe with JS, I can do something to prevent loading, but I don't want to do that as many users might have disabled JS. I also do not want to disable the back button and refresh features from the browser, which some applications do.

Was it helpful?

Solution

I guess, this is happening only if user log in, and right after logging in he clicks to logout. Then when you press back button in the browser, there is sending form with $_POST data of his logging and the browser asks you if you want to send that form again. Am I right? Do you mean this?

If yes, then use this solution to avoid sending form again (when back button is clicked or F5 (refresh) is pressed):

When you process form with login data, do redirect to the same page, or to home page (its on you). Use

header("HTTP/1.1 302 Found");
header('Location: '.$url_to_redirect);

Then, when he clicks back button, or refresh page, it will not send again login data, so it will not log in him back.

If there is another reason, just comment, and I will explain more.

OTHER TIPS

1) Use POST for your form data transmission 2) After processing the POSTed data on server side, send a 302 Moved response to the client forcing it to leave the POST and directing it to a GET landing page.

This should be the general way to handle form submissions, effectively inhibiting rePOSTing form data. Cannot be done with GET forms - however there's seldom a need for guarded GET forms...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top