Home/ Questions/Q 5988741
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T23:00:03+00:00

On IE when user hits back button they get the classic IE webpage has

  • 0

On IE when user hits back button they get the classic IE “webpage has expired” message.

I have found that setting the following in my php.ini has solved this.

'session.cache_limiter=private'

However my problem now is when I send forms I include a PHP session value ($_SESSION[‘token’]) in a hidden field. I then check this on the following page to see if token values match

echo "<form ......<input type='hidden' name='token' value='".$_SESSION['token']."' />";

/*on recieving page*/
if($_POST['token']==$_SESSION['token']){/*ok matched*/}
else{/*THIS IS WHERE THE ERROR OCCURS*/}

My problem is since adding this setting to my php.ini file I noticed when sending forms I get my custom page error as for some reason the $_SESSION[‘token’] value appears to change on the page receiving the form data thus making the if() statement return false? It’s happening in all browsers now?

Here is my $_SESSION[‘token’] code (NOTE when sending my form it lands in the else() but value changes of $_SESSION[‘token’] something to do with cache perhaps not retaining my $_SESSION values? 

session_start()
if(!isset($_SESSION['token']))
{
            $token = md5(uniqid(rand(), TRUE));
            $_SESSION['token'] = $token; /*have to put current session token into this variable for hidden field in <form>*/
            $_SESSION['token_time'] = time();
}
else
{
            /*if token set ie user press back button on browser*/
            $token_age = time() - $_SESSION['token_time'];
            if ($token_age > 1200)
            {
                        /* More than 20 minutes has passed - regenerate. Do this so more likely wont timeout when user taking long time on <form> and token may not get refreshed before time limit*/
                        $token = md5(uniqid(rand(), TRUE));
                        $_SESSION['token'] = $token; /*have to put current session token into this variable for hidden field in <form>*/
                        $_SESSION['token_time'] = time();
            }

}

If any use heres my other php.ini session settings

session.cache_limiter=private
session.cookie_secure=1 ;my wholes site is SSL
session.cookie_httponly=1
session.save_path = /tmp ;directory to store sessions
session.save_handler = files
session.cookie_lifetime = 0 ;persistence cookie dies after browser closed
session.use_trans_sid = 0
session.use_only_cookies=1

Let me just clear something up guys, the reason this whole problem occurs is using the ‘session.cache_limiter=private’. If I take this out theres no problem except I get a message in IE when hitting back button on a form page saying “Webpage expired”. Is there any suggestions how to avoid that message occuring in IE when hitting the back button?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    ini_set(“session.cache_limiter”, “must-revalidate”);

    • 0