Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
in my laraval5 system when user succesfully login to system and click on browser back button, its goin again to login page where without entering password user can login to system
how can i prevent that? plsease advice . how can i redirect user back to home page if browser back button goes to login page again
Middleware 'guest' add to either the route or controller.
http://laravel.com/docs/5.1/middleware#registering-middleware
Route::get('/', ['middleware' => 'guest', function()
{
// Redirected If Authenticated
}]);
or in the controller http://laravel.com/docs/5.1/controllers#controller-middleware
$this->middleware('guest');
@phildawson do i have to add middleware guest to controller which have login fucntion or home page function..
my login function is on authcontroller and home page dashbord is on dashboardcontroller.php
btw my existing AuthController contains this section
public function __construct(Guard $auth, Registrar $registrar)
{
$this->auth = $auth;
$this->registrar = $registrar;
$this->middleware('guest', ['except' => 'getLogout']);
}
please advice
Yeah so the AuthController and all its methods (apart from getLogout) will run the 'guest' middleware before being called.
The guest is just a key for the middleware. See Kernel.php
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
If you open up app/Http/Middleware and RedirectIfAuthenticated you can see in handle what it does. Change /home to /dashboard or whatever suits.
if ($this->auth->check()) {
return redirect('/home');
}
You can add $this->middleware('guest'); to any of your controllers you want to be redirected if logged in. Usually it's just the login/register and maybe home page where you might want this to happen.
I think you can avoid this issue by not having the user visit the login page.
Er.... what do I mean by this?
If you have protected pages, when the user wants to login just link them to the protected page. The Auth middleware will intercept the request and redirect to /auth/login. User fills in the login and submits. This is validated and the user is now redirected to the intended() page (the protected content). If they press back they return to the previous page that they were on and NOT the login page.
I use this on my sites and nowhere do I have a link to login so its never a page that people have visited although all have seen it.
@snapy : i used that middleware guest thing but still when you user login to system and press browser back button still it goes to login page and he can login back without entering password.
Please advice me . btw user cant visit login page after logged with system it redirects , this issue comes once after login and press back button
@dilfdo back button = cached content, not the really content that must show. Try this.
//put in <head> in your login page.
<meta http-equiv="cache-control" content="private, max-age=0, no-cache">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">
Source => http://stackoverflow.com/questions/31334306/how-i-prevent-browsers-back-button-login-after-logout
@dilfdo you are missing my point.
I will try and explain again. You should not give the user a link to /auth/login
From the homepage give them a link to the protected content, for example /dashboard
In your routes have something like;
Route::group(array('middleware' => 'auth'), function() {
Route::get('/dashboard', 'DashboardController@show');
});
Route::controllers([
'auth' => 'Auth\AuthController',
'password' => 'Auth\PasswordController',
]);
When the user is on your homepage (not shown above) and clicks the link for /dashboard, middleware will catch it and REDIRECT the user to /auth/login. When they complete login, they are REDIRECTed back to /Dashboard
If the user now presses back they go from Dashboard to homepage (and not to the login page) They are still logged in and can press Dashboard again and go there without logging in again.
The back button DOES NOT send you to pages that were only visited as a result of a REDIRECT
This solutions is works! Create a middleware using artisan.
php artisan make:middleware RevalidateBackHistory
Within RevalidateBackHistory middleware, we set the header to no-cache and revalidate.
<?php
namespace App\Http\Middleware;
use Closure;
class RevalidateBackHistory
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
return $response->header('Cache-Control','nocache, no-store, max-age=0, must-revalidate')
->header('Pragma','no-cache')
->header('Expires','Fri, 01 Jan 1990 00:00:00 GMT');
}
}
Update the application’s route middleware in Kernel.php
protected $routeMiddleware = [
.
.
'revalidate' => \App\Http\Middleware\RevalidateBackHistory::class,
.
.
];
And that’s all! So basically you just need to call revalidate middleware for routes which require user authentication.
@RaZik you are genius! i face this issue for 2-3 days,but your post solve my problem, thanks man
worked for me. For Firefox only.
For a universal solution is adding the headers both in the login route and the redirect to home
Route::get('/login', function () {
return response()
->view('auth.login')
->header('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0')
->header('Pragma', 'no-cache');
})->middleware('guest')->name('login');;
Also it needs to never have cached the page. If you test it while your browser has cached the logic route it will never work. Just go to a new tab.
@Snapey I tried using intended() method. But its taking me to my apps' home page and not to protected one. Where I need to change so that It will redirect me to protected one?
Because of how much this just saved my day, Thank you very much for this
A simple if statement can actually solve this (For my fellow beginners ;) ). This statement should be called in your controller for the registration page. You can do the same for the login page.
if (Auth::check() && Auth::user()->usertype == '1') {
return view ('admin.home');
} elseif (Auth::check() && Auth::user()->usertype == '0') {
$data = Products::all();
return view ('dashboard', compact('data'));
} else {
return view ('home.useregister');
}
By the way, This is for my registration page and it works just fine for now lol
Please or to participate in this conversation.