Secure Login Page

[laado]

i have following login page when i login then it works fine. but when i press back button from exploler then login page appears again but when i press farward button then then page which open after login appear. why? what changes i make in this code to secure so that when any one press back or farward button thay cannot access login page but when thay press back button or forward button login form page appear?? following is login page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Login Form</title><link href="loginmodule.css" rel="stylesheet" type="text/css" /></head><body background=new2.jpg><p> </p><form id="loginForm" name="loginForm" method="post" action="login-exec.php">  <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">	<tr>	  <td width="112"><b>Login</b></td>	  <td width="188"><input name="login" type="text" class="textfield" id="login" /></td>	</tr>	<tr>	  <td><b>Password</b></td>	  <td><input name="password" type="password" class="textfield" id="password" /></td>	</tr>	<tr>	  <td> </td>	  <td><input type="submit" name="Submit" value="Login" /></td>	</tr>  </table></form></body></html>

the file which handle login page is :

<?php	//Start session	session_start();		//Include database connection details	require_once('config.php');		//Array to store validation errors	$errmsg_arr = array();		//Validation error flag	$errflag = false;		//Connect to mysql server	$link = mysql_connect(localhost, phpuser, phppass);	if(!$link) {		die('Failed to connect to server: ' . mysql_error());	}		//Select database	$db = mysql_select_db(DB_DATABASE);	if(!$db) {		die("Unable to select database");	}		//Function to sanitize values received from the form. Prevents SQL injection	function clean($str) {		$str = @trim($str);		if(get_magic_quotes_gpc()) {			$str = stripslashes($str);		}		return mysql_real_escape_string($str);	}		//Sanitize the POST values	$login = clean($_POST['login']);	$password = clean($_POST['password']);		//Input Validations	if($login == '') {		$errmsg_arr[] = 'Login ID missing';		$errflag = true;	}	if($password == '') {		$errmsg_arr[] = 'Password missing';		$errflag = true;	}		//If there are input validations, redirect back to the login form	if($errflag) {		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;		session_write_close();		header("location: login-form.html?error=wrong_password");		exit();	}		//Create query	$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";	$result=mysql_query($qry);		//Check whether the query was successful or not	if($result) {		if(mysql_num_rows($result) > 0) {			//Login Successful			session_regenerate_id();			$member = mysql_fetch_assoc($result);			$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];			$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];			$_SESSION['SESS_LAST_NAME'] = $member['lastname'];			session_write_close();			header("location:home.html");			exit();		}else {			//Login failed			header("location: login-failed.php");			exit();		}	}else {		die("Query failed");	}?>

please help i need its urgent.

[justsomeguy]

You can't change how back and forward work, if they login then press back, then press forward, they're still logged in, right? They haven't logged out. So it makes sense to show the page they see when they log in. If they do log out, and they're still able to see the page they get to after they log in, then you need to add code on that page to make sure they're logged in.

[laado]

i cannot understand.can you explain it further?or u can tell me any other sceure login code??

You can't change how back and forward work, if they login then press back, then press forward, they're still logged in, right? They haven't logged out. So it makes sense to show the page they see when they log in. If they do log out, and they're still able to see the page they get to after they log in, then you need to add code on that page to make sure they're logged in.

[smerny]

pushing back in your browser just shows you what it saw on the previous page, it does not load another page to log you off or anything.... and pushing forward just shows you the page you were on before pushing back.. doesn't load pages..