When a user logs out the current user session is destroyed and no new pages can be loaded for which a user must be logged in. However, when you hit the ‘back’ button on your browser, it typically retrieves the page from the local cache. There is no contact with the server to see if the current session is still valid.
So, what you need to do is detect whether the backspace button has been hit and in that case check the validity of the session. This means there must be a piece of javacript included in the page, because this action needs to take place at the user side. I’m not a security expert, but the common way to detect the backspace goes like this:
window.onhashchange = function() {
.. your action ..
}
There are some snags to this method. Now, your action must be to call back to the server. That question has been answered before here on WPSE.
Related Posts:
- Can someone explain what wp_session_tokens are, and what are they used for?
- Log in from one wordpress website to another wordpress website
- Verify if user is wordpress logged in from another app since wordpress 4.0
- Logout users upon login, based on caps/role?
- Need edit profile link in the menu for logged in users
- How to store username and password to API in wordpress option DB?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- Nonces can be reused multiple times? Bug / Security issue?
- WordPress and PHP Sessions – Security and Performance
- What is the difference between esc_html and wp_filter_nohtml_kses?
- Init action hook running late after PayPal’s return url?
- How to check WordPress website username and password is correct
- Masking logout URL
- Nonce in settings API with tabbed navigation
- Problems after wp_set_password() containing an apostrophe
- Escaping built-in WP function return strings
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- WP Cron doesn’t save or in post body
- Two-step login process – Is it possible?
- How do I approach removing menu items on the fly based on settings in my plugin?
- WordPress restrict plugin file direct access
- Plugin development: is adding empty index.php files necessary?
- Confusion on WP Nonce usage in my Plugin
- Coding a plugin on WordPress; when should I sanitize? [duplicate]
- Correct way check nonce (security) using old Options API
- Why do I need to check if wp_nonce_field() exists before using it
- WordPress security issue to output data from user input from theme option form
- Proper way to pass credentials in a custom login form to avoid “headers already sent”
- External Authentication, session_tokens not destroyed on logout
- How to customize login process
- Secure Pages Best Practice
- wp_insert_user() function password never match
- Does wp_login only trigger before an user signs in into the admin panel?
- Securing/Escaping Output of file content – reading via fread() in PHP
- Is it possible to make sure that only my plugins output is shown to the enduser?
- Password field is empty when using wp_signon();
- best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
- Video Security just like facebook [closed]
- Plugin Development for registered users
- Is disabling test_form in wp_handle_upload a security concern?
- How to connect my wordpress plugin to a remote database securely?
- wp_nonce_field displaying twice
- Enqueue script globally
- WP Multisite login not working on one subsite. Possibly cookies/ history issue?
- Is it necessary to do validation again when retrieving data from database?
- Checking a WordPress for OWASP top 10 vulnerabilities [closed]
- How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
- add_submenu_page hooked function must explicitly check user capabilities – why?
- Are there any security risks when submitting data-attribute data through AJAX?
- Why would you use esc_attr() on internal functions?
- Logout after clicking URL link results in “headers already sent” error
- How do I validate extra pin field on my WordPress login form page?
- Is it possible to use WP-CLI in a plugin (or theme)?
- Secruity Questions on a timer
- How to redirect home page to another page after login for all user?
- Using HTML links within translatable string
- How can I save a password securely as a settings field
- How to share user data across multiple WordPress websites?
- Using password protection to load different page elements?
- HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
- Allowing duplicating users with same user_login and user_email
- How to Login a User inside a Plugin and Redirect to page?
- Using custom IDP with WP
- Hiding the WordPress login and password fields from login page
- How to store sensitive user data (passwords)
- How do I make secure API calls from my WordPress plugin?
- esc_attr() on hard coded string
- how to add security questions on wp-registration page and validate it
- redirect_to how to make it simply work with get parameter or similar?
- Experts opinions needed: How (in)secure is this approach?
- What is more secure checking capabilities of user or checking role of user in WordPress plugin development
- Multiple Users Logged In Causing Incorrect Account Returned
- Data Validation, dynamically generated fields (select for example)
- Get user logged in status from within a plugin. $current_user not defined
- Create a Custom Login System in WordPress [closed]
- how can I insert a link on login page
- user can login from single account detail from multiple locations(computer) at the same time [closed]
- esc_url, esc_url_raw or sanitize_url?
- Is wp-content/install.php a Drop-in?
- get_template_part from plugin
- Edit or Remove Plugin .htaccess Using The Admin Panel
- WordPress scheduled task is called but not executed
- How to create collections that are edited in admin?
- Use js script from one plugin in another plugin
- Build dynamic page from cURL (HTML page) response with plugin
- template_redirect for single posts w/ custom fields
- can I prevent WP users (even admin) from deleting custom categories?
- WordPress Multisite with Azure B2C redirect_urls after Login
- Why does my widget break other widgets?
- How do I add a text field under the activity texarea? [closed]
- Help writing custom function with rewrite endpoint that generates a page from dynamic content
- Function/Class to list categories with checkboxes
- Is hint for translator compulsory while internationalizing a string containing variables?
- How to use nonce
- WP Still Generating 150×150 Thumbnail Size Even After Un-Setting Small Size in Functions.php
- Make a php array load faster
- Woocommerce Product finder feature on home page
- Add language localisation to javascript alert?
- Upload to a specific media folder created by FileBird Lite