Safari Back button not honouring PHP logout session

Question

I've got a logout.php page which ends a user's session and works well and does the following:

session_start(); session_unset(); session_destroy();

I've just noticed when testing with Safari that when you logout you can click the back button to return to the previous page which requires authentication but are not prompted. You cannot navigate away from this page without entering the navigation but it should not be displaying the previous page in the first place.

So far in my testing this is only an issue with Safari on Mac OS X and there are a number of other reports about this but with no resolution that I could find:

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_23702691.html

I would love to be able to disable this behaviour with Safari's back button - surprised that this is happening in the first place.

Thanks, Steve

Answer 1

Ensure that any page you serve which requires authentication is being sent with suitable cache control headers. The page is being displayed from the browser cache, by providing cache control which explicitly forbids caching you should be able to stop this.

From http://php.net/manual/en/function.header.php

<?php
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
?>

Specifically for Safari, there's some discussion about caches and unload events, which you might be able to use to avoid caching. It seems that WebKit does have some complications with caching in general.

http://webkit.org/blog/427/webkit-page-cache-i-the-basics/

http://webkit.org/blog/516/webkit-page-cache-ii-the-unload-event/