When a user logs out the current user session is destroyed and no new pages can be loaded for which a user must be logged in. However, when you hit the ‘back’ button on your browser, it typically retrieves the page from the local cache. There is no contact with the server to see if the current session is still valid.
So, what you need to do is detect whether the backspace button has been hit and in that case check the validity of the session. This means there must be a piece of javacript included in the page, because this action needs to take place at the user side. I’m not a security expert, but the common way to detect the backspace goes like this:
window.onhashchange = function() {
.. your action ..
}
There are some snags to this method. Now, your action must be to call back to the server. That question has been answered before here on WPSE.
Related Posts:
- Can someone explain what wp_session_tokens are, and what are they used for?
- Log in from one wordpress website to another wordpress website
- Verify if user is wordpress logged in from another app since wordpress 4.0
- Logout users upon login, based on caps/role?
- Need edit profile link in the menu for logged in users
- How to store username and password to API in wordpress option DB?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- Nonces can be reused multiple times? Bug / Security issue?
- WordPress and PHP Sessions – Security and Performance
- What is the difference between esc_html and wp_filter_nohtml_kses?
- Init action hook running late after PayPal’s return url?
- How to check WordPress website username and password is correct
- Masking logout URL
- Nonce in settings API with tabbed navigation
- Problems after wp_set_password() containing an apostrophe
- Escaping built-in WP function return strings
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- WP Cron doesn’t save or in post body
- Two-step login process – Is it possible?
- How do I approach removing menu items on the fly based on settings in my plugin?
- WordPress restrict plugin file direct access
- Plugin development: is adding empty index.php files necessary?
- Confusion on WP Nonce usage in my Plugin
- Coding a plugin on WordPress; when should I sanitize? [duplicate]
- Correct way check nonce (security) using old Options API
- Why do I need to check if wp_nonce_field() exists before using it
- WordPress security issue to output data from user input from theme option form
- Proper way to pass credentials in a custom login form to avoid “headers already sent”
- External Authentication, session_tokens not destroyed on logout
- How to customize login process
- Secure Pages Best Practice
- wp_insert_user() function password never match
- Does wp_login only trigger before an user signs in into the admin panel?
- Securing/Escaping Output of file content – reading via fread() in PHP
- Is it possible to make sure that only my plugins output is shown to the enduser?
- Password field is empty when using wp_signon();
- best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
- Video Security just like facebook [closed]
- Plugin Development for registered users
- Is disabling test_form in wp_handle_upload a security concern?
- How to connect my wordpress plugin to a remote database securely?
- wp_nonce_field displaying twice
- Enqueue script globally
- WP Multisite login not working on one subsite. Possibly cookies/ history issue?
- Is it necessary to do validation again when retrieving data from database?
- Checking a WordPress for OWASP top 10 vulnerabilities [closed]
- How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
- add_submenu_page hooked function must explicitly check user capabilities – why?
- Are there any security risks when submitting data-attribute data through AJAX?
- Why would you use esc_attr() on internal functions?
- Logout after clicking URL link results in “headers already sent” error
- How do I validate extra pin field on my WordPress login form page?
- Is it possible to use WP-CLI in a plugin (or theme)?
- Secruity Questions on a timer
- How to redirect home page to another page after login for all user?
- Using HTML links within translatable string
- How can I save a password securely as a settings field
- How to share user data across multiple WordPress websites?
- Using password protection to load different page elements?
- HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
- Allowing duplicating users with same user_login and user_email
- How to Login a User inside a Plugin and Redirect to page?
- Using custom IDP with WP
- Hiding the WordPress login and password fields from login page
- How to store sensitive user data (passwords)
- How do I make secure API calls from my WordPress plugin?
- esc_attr() on hard coded string
- how to add security questions on wp-registration page and validate it
- redirect_to how to make it simply work with get parameter or similar?
- Experts opinions needed: How (in)secure is this approach?
- What is more secure checking capabilities of user or checking role of user in WordPress plugin development
- Multiple Users Logged In Causing Incorrect Account Returned
- Data Validation, dynamically generated fields (select for example)
- Get user logged in status from within a plugin. $current_user not defined
- Create a Custom Login System in WordPress [closed]
- how can I insert a link on login page
- user can login from single account detail from multiple locations(computer) at the same time [closed]
- esc_url, esc_url_raw or sanitize_url?
- how to works woocommerce cart hash
- Workflow for new importer plugin – your advices?
- Change author permalink to external URL
- Writing editor content to a file
- Using init hook for register_taxonomy is causing invalid_taxonomy in wp_insert_term()
- Plugin Form Submitting to admin-ajax.php instead of admin-post.php
- Unable to access custom plugin backend
- Plugin Development – Multilangual – Different pages
- Simple plugin don’t display content
- Screenshots on plugin page taken old [closed]
- How to translate wordpress backend to another language
- Plugin Development – Get Admin Url (Including cases where wp-admin is not used)
- How to create two custom post types when plugin is activated?
- How to hide page links from theme menu
- Get post thumbnail in WP_Query
- Brainstorm – Slow Query from Plugin Need to Speed It Up
- Unexpected T_FUNCTION
- How to avoid conflicts with db.php / $wpdb and other plugins that decide to use them?
- Plugin settings are saving but the fields
- Plugin can’t be activated [closed]
- WordPress Login/Logout Single Menu Only