How page expires when pressing back on banking sites

September 28th, 2007 in PHP / Web Programming
Skip to comments (2) ↓
 

On many banking sites you will find that when back or refresh button is pressed the session expires and it shows you a custom page. Well below is a simple PHP code which will do the same. The code is very basic and illustrates just the logic.

Include the below given code in all your scripts.


// First make sure that the page is not cached
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past

// Start the session
session_start();

// If there is a key in session and there is no key in GET then exit with error.
if (isset($_SESSION['key']) && !isset($_GET['key'])) {
  echo "SESSION expired";
  exit;
}

// If there is a key in GET then validate the key against the key stored in session
if (isset($_GET['key']) && isset($_SESSION['key'])) {
  // Compare the key passed with the one stored in session
  if ($_GET['key'] != $_SESSION['key']) {
    echo "SESSION expired";exit;
  }
}

// Generate a key for next page and store it in session.
$next_key = md5(time());
$_SESSION['key'] = $next_key;

// Now $next_key is the key which should be passed in all links
// Something like <a href="second_page.php?key=$next_key">Secon page</a>
// If no key is passed or invalid key is passed then session expire error will be shown

$next_key should be passed in the URL to all scripts.

Share
 

Comments: 2

Leave a reply »

 
  • Rahul
    June 9th, 2008 at 11:48 am
    #13669
     

    hi !! abbas
    nice tut.

    thanks.

     
     
     
  • Abdul Wahid Hashmi
    June 13th, 2009 at 5:19 am
    #27740
     

    Nice post. 🙂

     
     
     
  • Leave a Reply
     
    Your gravatar
    Your Name