How page expires when pressing back on banking sites

On many banking sites you will find that when back or refresh button is pressed the session expires and it shows you a custom page. Well below is a simple PHP code which will do the same. The code is very basic and illustrates just the logic.

Include the below given code in all your scripts.

// First make sure that the page is not cached
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past

// Start the session

// If there is a key in session and there is no key in GET then exit with error.
if (isset($_SESSION['key']) && !isset($_GET['key'])) {
  echo "SESSION expired";

// If there is a key in GET then validate the key against the key stored in session
if (isset($_GET['key']) && isset($_SESSION['key'])) {
  // Compare the key passed with the one stored in session
  if ($_GET['key'] != $_SESSION['key']) {
    echo "SESSION expired";exit;

// Generate a key for next page and store it in session.
$next_key = md5(time());
$_SESSION['key'] = $next_key;

// Now $next_key is the key which should be passed in all links
// Something like <a href="second_page.php?key=$next_key">Secon page</a>
// If no key is passed or invalid key is passed then session expire error will be shown

$next_key should be passed in the URL to all scripts.


Comments: 2

Leave a reply »

  • Rahul

    hi !! abbas
    nice tut.


  • Abdul Wahid Hashmi

    Nice post. 🙂

  • Leave a Reply
    Your gravatar
    Your Name