当前位置: 文江博客话题详情

防止注销后显示以前的页面

发布于 2024-09-14 09:08:37 字数 130 浏览 5 评论 0原文

我正在使用 PHP 应用程序,但我遇到了麻烦,事实上,当用户注销并在注销浏览器的后退按钮后按下时,他可以看到上一页,就好像会话尚未被破坏一样:(( 我有尝试了我在这里和网上找到的所有方法,但它不起作用:'(

我可以禁用后退按钮吗?

原文

i'm working at PHP application but i have a trouble, in fact when a user logged out and press after logging out the back button of the browser he can see the previous page as if the session has not been destroyed :(( i have tried all that i find here and on the web but it doesn't work :'(

Can I disable the back button?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

迷你仙 2024-09-21 09:08:37

http://blog.priyakant.com/2014/09/ 23/browser-back-button-prevent/

摘要:

浏览器后退按钮 – 防止注销后显示之前的页面 – 基于 Cookie 的方法
发表于 九月 23, 2014 由 Priyakant Patel — 发表评论
出于性能原因,阻止在注销后显示以前的页面

客户端浏览器应用程序会缓存页面。在这种情况下,当用户单击“后退”(浏览器后退按钮)时,它会显示缓存中的上一页。

情况1:用户仍处于登录状态,

可以显示上一页的内容。

情况 2:用户已注销。

下一个用户可能可以单击浏览器后退按钮并可以查看上一页的内容。

这在许多应用中可能是个大问题。在金融应用中用户潜在可以看到金融数据。或者医疗/患者相关应用程序可能违反 HIPAA,公司可能面临巨额处罚。

那么我们回到正题,如何解决这个问题呢?

我建议基于 HTTP Cookie 的方法。

步骤:

从服务器端创建具有滑动过期时间的 HTTP Cookie。可以从客户端 JavaScript 访问(注意:浏览器在过期时清除此 Cookie)。
注销时清除此 cookie
如果您没有找到此 Cookie,请重新加载页面。在这种情况下,服务器重新验证页面,如有必要,它将重定向到登录页面
就这样,完成!

这是我使用 ASP.NET 的实现。实施会根据服务器技术而有所不同,但想法保持不变。

  1. (服务器端)。从服务器端创建具有滑动过期时间的 HTTP Cookie

    Response.SetCookie(new HttpCookie(“TimeoutCookieName”, "1") { Expires = DateTime.UtcNow.AddMinutes(10) });
//注 10 == 会话超时。这将与您的应用程序登录会话超时相同。

  2. (服务器端)。注销时清除此 cookie

    Response.SetCookie(new HttpCookie(“TimeoutCookieName”, "1") { Expires = DateTime.UtcNow});

  3. (客户端):(以下脚本必须紧跟在 BODY 标记之后)

    window.preventBackButton = function () {
    尝试 {
        if (document && (!document.cookie || document.cookie.indexOf('_tc=1') < 0)) {
            window.document.body.style.display = '无';窗口.位置 = 窗口.位置;
        }
    } 捕获 (e) { }
};
window.preventBackButton(); //在body标签之后立即调用

请找到 ASP.NET 实现如下:

////C# Helper class - Start
using System;
using System.Web;

namespace MyHelpers {
    public static class MyHtmlHelper {
        public const string TimeoutCookieName = "_tc";

        public static HtmlString PreventBackButtonScript(HttpResponseBase response) {
            response.SetCookie(new HttpCookie(TimeoutCookieName, "1") { Expires = DateTime.UtcNow.AddMinutes(10) });
            var clientScript = "window.-reventBackButton = function() {
                try {
                    if(document && (!document.cookie || document.cookie.indexOf('" + TimeoutCookieName + "=1') < 0)) {
                        window.document.body.style.display='none'; window.location = window.location;
                    }
                } catch(e) {}
            };
            window.preventBackButton();";

            return new HtmlString(clientScript);
        }

        public static void SafeUnSetTimeoutCookie(this HttpResponseBase response) {
            response.SetCookie(new HttpCookie(TimeoutCookieName, "0") { Expires = DateTime.UtcNow.AddYears(-5) });
        }
    }
}
////C# Helper class - End
//Shared\_Layout.cshtml
//Make sure not to include after logout OR login page
<html>
<body>
@MyHelpers.MyHtmlHelper.PreventBackButtonScript(Response)
.
.
<⁄body>
<⁄html>

http://blog.priyakant.com/2014/09/23/browser-back-button-prevent/

Summary:

Browser back button – Prevent displaying of previous pages after logout – Cookie based approach
Posted on September 23, 2014 by Priyakant Patel — Leave a comment
Prevent displaying of previous pages after logout

Client browser application caches page for performance reason. In this case when user clicks on back (browser back button) it shows previous page from cache.

Case 1 : User is still logged in.

it is OK to display content of previous page.

Case 2 : User is logged out.

Potentially next user can click on browser back button and can see content(s) of previous page(s).

This could be big problem in many applications. In financial application next user potential can see financial data. Or Medical / Patient related application this could be HIPAA violation and company can face big penalties.

So let’s get back to the point, How can solve this problem?

I am proposing HTTP Cookie based approach.

Steps:

Create HTTP Cookie from server side with sliding expiration. Which can be accessed from Client JavaScript (Note: Browser clears this Cookie upon expiration).
Clear this cookie upon logout
If you don’t find this Cookie, reload the page. In this case server re-authenticates page and if necessary it will redirect to the login page
That’s it, Done!

Here is my implementation using ASP.NET. Implementation will varies based on server technology but idea stays same.

  1. (Server Side). Create HTTP Cookie from server side with sliding expiration

    Response.SetCookie(new HttpCookie(“TimeoutCookieName”, "1") { Expires = DateTime.UtcNow.AddMinutes(10) });
//NOTE 10 == Session Timeout. This will be same as your application login session timeout.

  2. (Server Side). Clear this cookie upon logout

    Response.SetCookie(new HttpCookie(“TimeoutCookieName”, "1") { Expires = DateTime.UtcNow});

  3. (Client Side) : (Following script must exists immediately after BODY tag)

    window.preventBackButton = function () {
    try {
        if (document && (!document.cookie || document.cookie.indexOf('_tc=1') < 0)) {
            window.document.body.style.display = 'none'; window.location = window.location;
        }
    } catch (e) { }
};
window.preventBackButton(); //Call immediately after body tag

Please find ASP.NET implementation as follow:

////C# Helper class - Start
using System;
using System.Web;

namespace MyHelpers {
    public static class MyHtmlHelper {
        public const string TimeoutCookieName = "_tc";

        public static HtmlString PreventBackButtonScript(HttpResponseBase response) {
            response.SetCookie(new HttpCookie(TimeoutCookieName, "1") { Expires = DateTime.UtcNow.AddMinutes(10) });
            var clientScript = "window.-reventBackButton = function() {
                try {
                    if(document && (!document.cookie || document.cookie.indexOf('" + TimeoutCookieName + "=1') < 0)) {
                        window.document.body.style.display='none'; window.location = window.location;
                    }
                } catch(e) {}
            };
            window.preventBackButton();";

            return new HtmlString(clientScript);
        }

        public static void SafeUnSetTimeoutCookie(this HttpResponseBase response) {
            response.SetCookie(new HttpCookie(TimeoutCookieName, "0") { Expires = DateTime.UtcNow.AddYears(-5) });
        }
    }
}
////C# Helper class - End
//Shared\_Layout.cshtml
//Make sure not to include after logout OR login page
<html>
<body>
@MyHelpers.MyHtmlHelper.PreventBackButtonScript(Response)
.
.
<⁄body>
<⁄html>
回复 原文
海之角 2024-09-21 09:08:37

您无法禁用后退按钮。如果您可以看到之前注销的用户页面,那么您的会话检查脚本在某处失败。提交注销表单时使用流程脚本,然后将当前注销的用户重定向到主页(如果适用)。

You cannot disable the back button. If you can see the previously logged out user's page then your session checking script fails somewhere. Use a process script when you submit the logout form then redirect the currently logged out user to the main page (if applicable).

回复 原文
思念绕指尖 2024-09-21 09:08:37

你不能。浏览器会缓存页面,这样就不必在每次加载页面时都向网络服务器请求。当您点击后退按钮时,它会加载最后一页,而无需询问服务器。

You can't. Browsers cache pages so they don't have to request it from a web server every time they load a page. When you hit the back button it loads the last page without asking the server.

回复 原文
路还长,别太狂 2024-09-21 09:08:37

这可能更多地与您在每个页面请求上发送回的缓存标头有关。您的内容仅在短时间内有效,因此您需要确保在生成页面时发送回标头,告诉浏览器不要在本地缓存它。

此处禁用页面缓存的示例 http://www.w3schools.com/php/func_http_header.asp 

// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");

It's probably more to do with the caching headers you're sending back on each page request. You have content that is only valid for a short time so you need to make sure you send headers back when you generate the page telling the browser not to cache it locally.

Example of disabling the page caching here http://www.w3schools.com/php/func_http_header.asp:

// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");
回复 原文
飘过的浮云 2024-09-21 09:08:37

您是否清除用户的缓存/会话?即使他们反击,我认为如果您在注销时清除他们的会话,也不应该让他们保持登录状态。

Are you clearing out the cache/session of the user? Even if they hit back I don't think it should keep them logged in if you clear their session on log out.

回复 原文
碍人泪离人颜 2024-09-21 09:08:37

编辑:在编辑之前 - 由 OP 以外的人编辑 - 这个问题询问是否可以禁用浏览器的后退按钮。我对该问题的原始回答如下。另外,我觉得我需要澄清 - 以下基本上“破坏”后退按钮的方法不是我推荐或喜欢的方法。您应该将应用程序设计为在使用后退按钮等基本浏览器功能时做出明智的反应,而不是试图阻止它们的使用。

您无法禁用用户浏览器上的后退按钮。这是浏览器的一项基本功能,无法被覆盖。

您可以这样做,以便您的应用程序在用户返回时中断(显示错误消息,要求用户重新开始或重新提交请求)。这样做是一个坏主意,因为这实际上是承认您在设计应用程序时没有考虑后退按钮。每个应用程序,甚至订单、购物车等,如果设计正确,都应该能够使用后退按钮。

我见过的一种中断后退按钮使用的方法是在应用程序内和每个表单内的每个 URL 上传递一个令牌。令牌会在每个页面上重新生成,一旦用户加载新页面,之前页面中的任何令牌都会失效。

当用户加载页面时,该页面仅显示是否传递了正确的令牌(已为上一页上的所有链接/表单提供)。

我的银行提供的网上银行应用程序是这样的。如果您完全使用后退按钮,则不再有链接起作用,也无法重新加载页面 - 相反,您会看到一条通知,告诉您无法返回,必须重新开始。

也就是说,我应该提醒您,让您的应用程序在用户返回时中断是一个坏主意,并且显示出糟糕的应用程序设计。

Edit: Prior to editing - by someone other than OP - this question asked if it is possible to disable the browser's back button. My original answer to that question is below. Also, I feel I need to clarify - the below approaches for essentially "breaking" the back button are not approaches I recommend or like. You should design your application to react sensibly when using basic browser features like the back button rather than try to prevent their use.

You cannot disable the back button on a user's browser. It's a fundamental feature of browsers which can't be overridden.

You can make it so that your application breaks (displays an error message, requiring the user to start over or re-submit a request) if the user goes back. It's a bad idea to do this, because it is really an admission that you didn't take the back button into account when you designed the application. Every application, even order forms, shopping carts etc, if designed correctly should be able to use the back button.

One approach I have seen for breaking on back button use is to pass a token on every URL within the application, and within every form. The token is regenerated on every page, and once the user loads a new page any tokens from previous pages are invalidated.

When the user loads a page, the page will only show if the correct token (which was given to all links/forms on the previous page) was passed to it.

The online banking application my bank provides is like this. If you use the back button at all, no more links will work and no more page reloads can be made - instead you see a notice telling you that you cannot go back, and you have to start over.

That said, I should remind you that making it so your application breaks when the user goes back is a bad idea and shows a poor application design.

回复 原文
~没有更多了~

关于作者

烧了回忆取暖

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

烙印

文章 0 评论 0

singlesman

文章 0 评论 0

给自己一个微笑

文章 0 评论 0

独孤求败

文章 0 评论 0

晨钟暮鼓

文章 0 评论 0

我是自愿种绣球花的

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文