CACHE-CONTROL AND CONDITIONAL CHECK
In the following code snippet, we will auto-detect if the
session is still in use.
session is still in use.
createaccount.php:
<?php
session_start();
header("Cache-control: must-revalidate");
if (
$_SESSION["alive"] != "1") {
// User is attempting to go back after the session was destroyed
Header("Location:/php/error100.php");
}
?>
The “Cache-control” directive above is very important. Using
“must-revalidate” tells the browser that it has to fetch the page
from the server again instead of loading if from its cache. Because
it reloads the page from the server, it will re-check the
$_SESSION[“alive”] variable to see if its value is “1”. If so, the
page can load properly. If not, then we’ll redirect the user to
another page that contains a custom error message. Placing this
script at the beginning of every page in the registration series
will catch every “Back” button press by the user. It’s not enough
to place it on the last page in the registration series as a user
could press the “Back” button more than one time. I have this
snippet in createaccount.php, createaccount1.php,
createaccount2.php and createaccount3.php.
“must-revalidate” tells the browser that it has to fetch the page
from the server again instead of loading if from its cache. Because
it reloads the page from the server, it will re-check the
$_SESSION[“alive”] variable to see if its value is “1”. If so, the
page can load properly. If not, then we’ll redirect the user to
another page that contains a custom error message. Placing this
script at the beginning of every page in the registration series
will catch every “Back” button press by the user. It’s not enough
to place it on the last page in the registration series as a user
could press the “Back” button more than one time. I have this
snippet in createaccount.php, createaccount1.php,
createaccount2.php and createaccount3.php.
MANUALLY EXPIRE THE SESSION
The last thing to do is manually “expire” the session, or at
least a portion of it. In my case, I wanted the session to stay
alive, so I could not use
However, I didn’t want the user to go back to the previous pages
and change things. Remember that
the final submit, all we have to do is get rid of it. There are two
ways to do this:
least a portion of it. In my case, I wanted the session to stay
alive, so I could not use
session_unset() or session_destroy().However, I didn’t want the user to go back to the previous pages
and change things. Remember that
$_SESSION["alive"]variable? Afterthe final submit, all we have to do is get rid of it. There are two
ways to do this:
createaccount4.php (the page after the final submit):
<?php
session_start();
$_SESSION["alive"] = "0";
?>
or
<?php
session_start();
session_unregister('alive');
?>
Either way will accomplish the same thing. Now, when the “Back”
button is pressed, the user won’t return the the previous page and
be able to change data and resubmit. Instead, they will be
redirected to error100.php (or whatever page you choose) and will
get a custom error message.
button is pressed, the user won’t return the the previous page and
be able to change data and resubmit. Instead, they will be
redirected to error100.php (or whatever page you choose) and will
get a custom error message.
So, the next time you want to stop the user from going back to
change data previously entered, and if you want manual control over
it, use this method. Just remember that the entry script sets the
session variable to the “alive” state, and the exit script (right
after your final submit during the process) sets the session
variable to a “not alive” state. The “Cache-control:
must-revalidate” forces the browser to reload the page from the
server, and the “alive” check is performed. Redirection to a custom
page occurs when the session variable is not “alive”.
change data previously entered, and if you want manual control over
it, use this method. Just remember that the entry script sets the
session variable to the “alive” state, and the exit script (right
after your final submit during the process) sets the session
variable to a “not alive” state. The “Cache-control:
must-revalidate” forces the browser to reload the page from the
server, and the “alive” check is performed. Redirection to a custom
page occurs when the session variable is not “alive”.
