On IE when user hits back button they get the classic IE "webpage has expired" message.
I have found that setting the following in my php.ini has solved this.
'session.cache_limiter=private'
However my problem now is when I send forms I include a PHP session value ($_SESSION['token']) in a hidden field. I then check this on the following page to see if token values match
echo "<form ......<input type='hidden' name='token' value='".$_SESSION['token']."' />";
/*on recieving page*/
if($_POST['token']==$_SESSION['token']){/*ok matched*/}
else{/*THIS IS WHERE THE ERROR OCCURS*/}
My problem is since adding this setting to my php.ini file I noticed when sending forms I get my custom page error as for some reason the $_SESSION['token'] value appears to change on the page receiving the form data thus making the if() statement return false? It's happening in all browsers now?
Here is my $_SESSION['token'] code (NOTE when sending my form it lands in the else() but value changes of $_SESSION['token'] something to do with cache perhaps not retaining my $_SESSION values?
session_start()
if(!isset($_SESSION['token']))
{
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token; /*have to put current session token into this variable for hidden field in <form>*/
$_SESSION['token_time'] = time();
}
else
{
/*if token set ie user press back button on browser*/
$token_age = time() - $_SESSION['token_time'];
if ($token_age > 1200)
{
/* More than 20 minutes has passed - regenerate. Do this so more likely wont timeout when user taking long time on <form> and token may not get refreshed before time limit*/
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token; /*have to put current session token into this variable for hidden field in <form>*/
$_SESSION['token_time'] = time();
}
}
If any use heres my other php.ini session settings
session.cache_limiter=private
session.cookie_secure=1 ;my wholes site is SSL
session.cookie_httponly=1
session.save_path = /tmp ;directory to store sessions
session.save_handler = files
session.cookie_lifetime = 0 ;persistence cookie dies after browser closed
session.use_trans_sid = 0
session.use_only_cookies=1
Let me just clear something up guys, the reason this whole problem occurs is using the 'session.cache_limiter=private'. If I take this out theres no problem except I get a message in IE when hitting back button on a form page saying "Webpage expired". Is there any suggestions how to avoid that message occuring in IE when hitting the back button?
