After going through a series of pages during a registration process, you don't want the user to be able to go back after the final submit. What can you do to manually "expire" those pages, and perhaps display a custom message?
In this scenario, I didn't want my session to expire as I needed it to continue. Instead, I used an extra session variable to track whether my session was alive or not. There are three main components: (1) the entry script, (2) the Cache-control directive, (3) the conditional check, and (4) manually expiring a portion of the session.
THE ENTRY SCRIPT
I use an entry script to start my session. This accomplishes two things:
(1) destroys any session already in progress, and (2) starts a new session.
entry.php:
session_start();
session_unset();
session_destroy();
session_start();
session_register('alive');
$_SESSION["alive"] = "1";
Header("Location:/php/createaccount.php");
In the above script, we start the session, get rid of any registered session variables with session_unset(), and destroy that session with session_destroy(). Then, we start a new session and register a session variable. This particular variable will track whether this portion of the session is alive or not. We set the variable to some value, then we redirect to our first page in the registration series.
CACHE-CONTROL AND CONDITIONAL CHECK
In the following code snippet, we will auto-detect if the session is still in use.
createaccount.php:
session_start();
header("Cache-control: must-revalidate");
if ($_SESSION["alive"] != "1") {
// User is attempting to go back after the session was destroyed
Header("Location:/php/error100.php");
}
The "Cache-control" directive above is very important. Using "must-revalidate" tells the browser that it has to fetch the page from the server again instead of loading if from its cache. Because it reloads the page from the server, it will re-check the $_SESSION["alive"] variable to see if its value is "1". If so, the page can load properly. If not, then we'll redirect the user to another page that contains a custom error message. Placing this script at the beginning of every page in the registration series will catch every "Back" button press by the user. It's not enough to place it on the last page in the registration series as a user could press the "Back" button more than one time. I have this snippet in createaccount.php, createaccount1.php, createaccount2.php and createaccount3.php.
MANUALLY EXPIRE THE SESSION
The last thing to do is manually "expire" the session, or at least a portion of it. In my case, I wanted the session to stay alive, so I could not use session_unset() or session_destroy(). However, I didn't want the user to go back to the previous pages and change things. Remember that $_SESSION["alive"] variable? After the final submit, all we have to do is get rid of it. There are two ways to do this:
createaccount4.php (the page after the final submit):
session_start();
$_SESSION["alive"] = "0";
or
session_start();
session_unregister('alive');
Either way will accomplish the same thing. Now, when the "Back" button is pressed, the user won't return the the previous page and be able to change data and resubmit. Instead, they will be redirected to error100.php (or whatever page you choose) and will get a custom error message.
So, the next time you want to stop the user from going back to change data previously entered, and if you want manual control over it, use this method. Just remember that the entry script sets the session variable to the "alive" state, and the exit script (right after your final submit during the process) sets the session variable to a "not alive" state. The "Cache-control: must-revalidate" forces the browser to reload the page from the server, and the "alive" check is performed. Redirection to a custom page occurs when the session variable is not "alive".
Total Members
