Stopping the back button from exposing secure pages?

If you can use HTTPS, this combined with a Cache-control: no-cache header will disable the "page cache" (the WebKit term for in-memory/back-forward cache). The downside of this is that it will be disabled for all secure page views, not just after log out. (Source; note they are working on allowing exceptions, it's worth keeping an eye on this.)

If you can depend on JavaScript, attaching an unload event handler will prevent the "page cache". This has the benefit of also allowing you to only break the cache when a "log out" button or link is clicked, by only then attaching the unload event handler. (Source)

Neither of these solutions are ideal, but one of them might be a worthwhile compromise.

Tags:

Php

Session