阻止后退按钮暴露安全页面? [英] Stopping the back button from exposing secure pages?

问题描述

我遇到了浏览器缓存(显然是常见的)问题，我的安全页面可通过后退按钮访问(在用户注销后).

I'm encountering a (apparently common) problem with browser caches, and my secure pages being accessible via the back button (after user logout.)

这是我的 logout.php

Here is my logout.php

<?php
    // 1. Find the session 
    session_start();

    // 2. Unset all the session variables
    $_SESSION = array();

    // 3. Destroy the session cookie
    if(isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time()-42000, '/');
    }

    // 4. Destroy the session
    session_destroy();

    redirect_to('index.php?logout=1');
?>

这成功地注销了 IE7、IE8、Chrome 和 Firefox 上的用户——但在 Safari 中，我可以按下后退按钮(在注销后立即)并且仍然可以看到安全内容.如果我刷新安全页面，它会将我引导到登录屏幕(应该如此.)

This successfully logs out users on IE7, IE8, Chrome and Firefox--but in Safari, I'm able to press the back button (immediately after logging out) and still see the secure content. If I refresh the secure page, it boots me to the login screen (as it should.)

我试过使用:

<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">

...但它没有效果.任何人都可以提供任何建议吗?我已经找到关于浏览器缓存的这篇文章，但我还没有在其中找到答案...虽然我确实发现:

...but it has no effect. Can anyone offer any advice? I've found this article on browser caching, but I have yet to find an answer within it... although I did find:

<?php
 Header("Cache-Control: must-revalidate");

 $offset = 60 * 60 * 24 * 3;
 $ExpStr = "Expires: " . gmdate("D, d M Y H:i:s", time() + $offset) . " GMT";
 Header($ExpStr);
?>

...这也不能解决问题".嗯.

...which also does not solve the "problem." Hmm.

推荐答案

如果您可以使用 HTTPS，那么结合 Cache-control: no-cache 标头将禁用页面缓存"(内存中/后向缓存的 WebKit 术语).这样做的缺点是它会被所有安全页面视图禁用，而不仅仅是在注销后.(来源；注意他们正在允许例外，值得关注这一点.)

If you can use HTTPS, this combined with a Cache-control: no-cache header will disable the "page cache" (the WebKit term for in-memory/back-forward cache). The downside of this is that it will be disabled for all secure page views, not just after log out. (Source; note they are working on allowing exceptions, it's worth keeping an eye on this.)

如果您可以依赖 JavaScript，附加 unload 事件处理程序将阻止页面缓存".这样做的好处是还允许您仅在单击注销"按钮或链接时破坏缓存，然后才附加 unload 事件处理程序.(来源)

If you can depend on JavaScript, attaching an unload event handler will prevent the "page cache". This has the benefit of also allowing you to only break the cache when a "log out" button or link is clicked, by only then attaching the unload event handler. (Source)

这些解决方案都不是理想的，但其中一个可能是值得的妥协.

Neither of these solutions are ideal, but one of them might be a worthwhile compromise.

这篇关于阻止后退按钮暴露安全页面?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！