how can i destroy session so that user cant go back to the previous page and cant access the page directly in codeigniter?

Question

I am trying to use session for login and logout in my code but my browser saves the data that is being passed and i can access the page directly if i enter the url like this 'localhost/P_Display/user/Dashboard/' i can access this page directly even after logout does this mean that session is not being destroyed completely? here is my code

if($login_data)
    {
       $user_id = $login_data->id;
       $login_data=$this->session->set_userdata(array('user_id'=>$user_id));
      // print_r($login_data);
       return redirect("user/dashboard/");
          }

this is the part that check the user for login..

now for logout

 public function logout() 
  {

  $this->session->unset_userdata('user_id');
    $this->session->sess_destroy();

 return redirect('user','refresh');
  }

what can i do to stop the user from accessing anything after logout?

Answer 1

Try with this in view file

<?php

header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
?>

Or in .htaccess FileETag None Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"

Or In the __construct function of controller

$this->output->set_header('Last-Modified: ' . gmdate("D, d M Y H:i:s") . ' GMT');('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
$this->output->set_header('Pragma: no-cache');
$this->output->set_header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

Or in HTML

<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />

For more visit How to control web page caching, across all browsers?

Answer 2

I think you can check the session in constructor of dashboard controller. And if session is not set redirect the user to login page like...

class Dashboard extends CI_Controller {
    public function __construct()
    {
        if(!isset($this->session->userdata['user_id']))
        {
            redirect('user','refresh');
        }
    }
    .....
}  

This will redirect to users(should be login) controller if user is not logged in.

Answer 3

When I code the login part and control access, I use to control, for each function, userdata session. It means that each function starts with something like :

If (!$this->session->userdata('login_type')) {
redirect ('login', 'refresh')
}

For example.

I did not manage to use it in the constructor or other.

Answer 4

put below code in your __construct function of all your controller which are needed login

$this->output->set_header('Last-Modified:' . gmdate('D, d M Y H:i:s') . 'GMT');
$this->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
$this->output->set_header('Cache-Control: post-check=0, pre-check=0', false);
$this->output->set_header('Pragma: no-cache');

After this page will not open when you click on back button of browser.