I have the following logout() function that works on most browsers but not safari. The problem in safari is after logout if the user hits the back button they get the previous page from cache instead of the login screen. Is there a way to adjust the logout function to handle this?
function logout()
{
// unset any session variables
$_SESSION = [];
// expire cookie
if (!empty($_COOKIE[session_name()]))
{
// setcookie(session_name(), "", time() - 42000);
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]);
}
// destroy session
session_destroy();
}
Wow, it's Apple. The problem has persisted for almost 10 years as of now. The reload
window.onpageshow = function(event) {
if (event.persisted) {
window.location.reload() ;
}
};
only partially worked for me, as the page is first reloaded from cache and then reloaded. I found this unacceptable, as there might be sensitive information on the screen and a screen recording would reveal them.
Thus, I used a combination of methods to make sure back will never reveal anything:
Put a logout confirmation page after the logout and redirect automatically after a brief period to the login page again.
<h1>Logged out</h1>
<p>You have been successfully logged out.</p>
<p>Redirecting to login page...</p>
<script>{`
window.onpageshow = function(event) {
if (event.persisted) {
window.location.reload();
}
};
setTimeout(() => { window.location.href = '/login'; }, 2000);
`}
</script>
Use the reload function from above on the logout and any other sensitive pages.
Set headers
resp.headers.set("cache-control", "no-store, no-cache, must-revalidate");
resp.headers.set("pragma", "no-cache");
resp.headers.set("expires", "0");
on any sensitive pages to avoid any long-term caching.
This combination worked, I can still use the back button, but it will show only the logout confirmation and then reload, also the cache invalidation has surely kicked in so I could never reach my protected pages again.