After the user logs out, he leaves, but if you click the back arrow of the browser he accesses again

Asked

Viewed 340 times

-2

The logout code [Standard]

 public function logout(Request $request)
{
    $guard = $this->getGuard();

    Auth::guard($guard)->logout();

    $request->session()->flush();

    return redirect('/');
}
  • 1

    And if you come back and update, what happens?

  • It goes back to login screen, but the bad thing is if the user leaves the screen open and someone comes back to see some data

  • This is strange, you are using the middleware of auth on your route or on __construct of your controller?

  • It’s being used on both routes and controller.

  • I read something that says that when you click back, not necessarily the browser is making a new request, it might be picking up the status of the previous page and just displaying.BUT no solution

  • 3

    Exactly. The previous page is already in memory, do not need to make a new request to display it.

  • You can read this explanation And if you still want to try something, you can try that solution

  • quiet, vlw by the help ai

Show 3 more comments

2 answers

-1

Your code is right, but in loginController you need to validate if authentication exists, as you destroyed it will not be logged in using the Auth::check() you validate whether it is logged in or not.

-2

In the login you can make a session_name('nomedasessaoaescolha'), log in session_start() and save user data for ex: $_SESSION['user'] = $row['id'] and $_SESSION['nome'] = $row['nome'].

On logout you need to make a session_unset("nomedasessaoacimaescolhido") and you need to destroy the session session_destroy().

Then on the other pages all where you do not want them to access after logout just put the following piece of code:

session_name('nomesessao');

session_start();

if(isset($_SESSION['user']) && $_SESSION['user'] != ""){


}else{

  header('Location: index.html');

}
  • And how this solves the problem of pressing the browser back and viewing a cached page?

  • 1

    As I mentioned in the third paragraph where that piece of code is placed, pressing Back will check if the user is logged in, if not will redirect him to the login page for ex.

  • 1

    The point is that this code is only executed if there is a new request to the server, which does not happen when it is pressed back.

  • As a new request to the server? If the code is located in the header of all pages that do not allow access without login.

  • 2

    By pressing back, the browser will display the cached version of the page, so the server code will not run again. As the previous page had the login, the cached page will also be with the login; the verification whether the session exists or not will be executed. It will only be executed when the user tries to perform some action that makes a request to the server. This is cache "problem", not session management.

  • I already understood the problem, there is a small error in the statement, because the previous page had yes login, but that same login is destroyed at logout (session_destroy) what will make that the previous page mentioned that had login no longer has it and so with the above mentioned validation no longer allow access to the page.

  • No, because the above check will not be executed when to press back. Read about what caching is and test to better understand.

Show 2 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.