How page expires when pressing back on banking sites

On many banking sites you will find that when back or refresh button is pressed the session expires and it shows you a custom page. Well below is a simple PHP code which will do the same. The code is very basic and illustrates just the logic.

Include the below given code in all your scripts.

PLAIN TEXT
PHP:
  1. // First make sure that the page is not cached
  2. header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
  3. header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
  4.  
  5. // Start the session
  7.  
  8. // If there is a key in session and there is no key in GET then exit with error.
  9. if (isset($_SESSION['key']) && !isset($_GET['key'])) {
  10.   echo "SESSION expired";
  11.   exit;
  12. }
  13.  
  14. // If there is a key in GET then validate the key against the key stored in session
  15. if (isset($_GET['key']) && isset($_SESSION['key'])) {
  16.   // Compare the key passed with the one stored in session
  17.   if ($_GET['key'] != $_SESSION['key']) {
  18.     echo "SESSION expired";exit;
  19.   }
  20. }
  21.  
  22. // Generate a key for next page and store it in session.
  23. $next_key = md5(time());
  24. $_SESSION['key'] = $next_key;
  25.  
  26. // Now $next_key is the key which should be passed in all links
  27. // Something like <a href="second_page.php?key=$next_key">Secon page</a>
  28. // If no key is passed or invalid key is passed then session expire error will be shown

$next_key should be passed in the URL to all scripts.

Posted in PHP, Web Programming |

One Response

  1. Rahul Says:
    June 9th, 2008 at 11:48 am

    hi !! abbas
    nice tut.

    thanks.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.