Preventing User From Going back After Login & Logout with PHP

StackOverflow https://stackoverflow.com/questions/21648869

Question

I have a simple login and logout system using PHP in WampServer. Login form is on index.php, which leads to login.php after submission. And login.php has link to log out (logout.php).

index.php

<html>
    <head>
    </head>

    <body>
        <form action="login.php" method="POST">
            Username:<input name="username" type="text">
            <br>
            Password:<input type="password" name="password">
            <br>
            <input type="submit" name="submit" value="login">

        </form>
    </body>
</html>

login.php

<html>  
<head>

</head>
<body>

<?php

    define('DB_NAME','db_name');
    define('DB_USER','root');
    define('DB_PASSWORD','');
    define('DB_HOST','localhost');

    $link=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD);

    if (!$link)
    {
        die('Failed to connect to MySQL: ' . mysql_error());
    }

    $query = "CREATE DATABASE IF NOT EXISTS " . DB_NAME;

    if(!mysql_query($query)){
        die('Error in creating database : <br> ' . mysql_error());
    }
    $db_selected = mysql_select_db (DB_NAME, $link);
    if(!$db_selected) {
        die(' Can\'t use ' . DB_NAME . ' : ' . mysql_error() );
    }

    session_start();
    if (isset($_POST['submit'])) {
        $username = $_POST['username'];
        $password = $_POST['password'];

        if ($username && $password ){

            $query = mysql_query("SELECT * FROM login WHERE username='$username'");
            $numrows = mysql_num_rows($query);

            if($numrows!==0){
                while($row = mysql_fetch_assoc($query)){
                    $dbusername = $row['username'];
                    $dbpassword = $row['password'];
                }

                if ($username==$dbusername && $password==$dbpassword) {
                    echo "You are logged in !";
                    @$_SESSION['username'] = $username;
                }
                else{
                    die("password incorrect");
                }
            }
            else{
                die("User does not exist");
            }
        }
        else {
            die("Please enter correct username and password");
        }
    }
?>

        <br>
        <a href="logout.php">Logout</a>
    </body>

</html>

logout.php

<?php
    session_start();
    unset($_SESSION["username"]);
    header("Location: index.html");

?>

Which is working.

Now, I want to prevent the following.

  1. going back to login.php after logging out
  2. going back to index.html after having logged in
  3. going to login.php and index.html by typing url of those pages.

I have tried adding following to login.php to clear cache but it has not worked out.

header('Cache-Control: no-cache, must-revalidate');
header('Expires: Sat, 26 Jul 1997 05:00:00 GMT');

And

header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");    // Date in the past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header ("Cache-Control: no-cache, must-revalidate");  // HTTP/1.1
header ("Pragma: no-cache");

In fact, if I don't write any of above 2 code snippets, browser asks for form resubmission. But if I do write it, it directly shows pages by going back without preventing anything.

I have seen this question on this site but could not understand how to apply it. Can anyone could please explain how to clear the cache or use any other method in php to do it?

Was it helpful?

Solution

you can use 

if(isset($_SESSION["username"]))
{
// header to another location 
}

// in index 

if(isset($_SESSION["username"]))
{
header("Location: login.html");
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top