php - Prevent back button after logout

Question

I don't want the user to go back to secured pages by clicking back button after logging out. In my logout code, I am unsetting the sessions and redirecting to login page.But, I think the browser is caching the page so it becomes visible despite the session being destroyed from logout.

I am able to avoid this by not allowing the browser to cache

header("Cache-Control", "no-cache, no-store, must-revalidate")

But this way I am loosing the advantage of Browser Caching.

Please suggest a better way of achieving this. I feel, there must be a way of handling this by javascript client side

Answer 1

Implement this in PHP and not javascript.

At the top of each page, check to see if the user is logged in. If not, they should be redirected to a login page:

<?php 
      if(!isset($_SESSION['logged_in'])) : 
      header("Location: login.php");  
?>

As you mentioned, on logout, simply unset the logged_in session variable, and destroy the session:

<?php
      unset($_SESSION['logged_in']);  
      session_destroy();  
?>

If the user clicks back now, no logged_in session variable will be available, and the page will not load.