Topic: Disabling the browser back button?

[kr33]

Hi,

How would I disable the web browsers back button, I only want the user to use the buttons i have in the webpages, to avoid them resubmitting data, especially data that will be uploaded and imported to the MySQL database.

I was told that, this can be achieved using javascript.

Can this be done, if so, how?

Thanks

[James Blond]

You can save in your session how fare the user has clicked in the process of your forms.

e.g.
page 5

[kr33]

That seems, logical and I understand perfectly what you are saying,
but i want to be able to literally disable the Web browsers back button and only allow my webpage buttons.

I know that there is some way, using javascript something like

[Jorge]

No it can't be done... else AJAX wouldn't have the backbutton of death problem.

[kr33]

OK, thanks alot.

It was just brought to my attention that it is possible to hide the browsers toolbar, so the user will not be able to see/use the browsers back/forward buttons and to prevent them from pressing the backspace key as it has the same effect as clicking the back button.

How would you achieve that?

thanks again

[kr33]

Here is a javascript function that may help with sort of "disabling" the browser back button

[Brian]

Just keep in mind any solution to hide a toolbar is going to require the browser to respond to the JavaScript requests to take this action. One thought I had was to make each web page they go to during what ever process they are going through that you wish to avoid the use of the BACK button, make it the same page such as:

index.php

...but you pass along variables to indicate which page they are on. In addition to this you could in theory use a cookie or a session variable to track where they have been, in essence you could then redirect them back to the page they were on -but- this would not be an easy solution if you were passing a large number of variables along.

It gets very complicated to avoid the use of the backbutton and it almost makes more sense to instead redirect the user to some page that makes them basically "start over" if they use the back button, but again this would require some tricky session management programming as I see it.

I delt with this a couple of years ago and found that when they press the back button the browser tries to pull the page out of cache, that is why I decided to use a single page for my entire web site and I pass GET and POST vars (depending on circumstances) along and using a tracking method I can kick them back to the login page if they misbehave.

[kr33]

That makes perfect sense , and the truth of the matter is...that it is abit of a tricky and more often that not, a problem with abit of a complex solution.

Never-the-less, its a challenge, the javascript code i posted in one of the above messages basically achieves the same result as mentioned by you, that redirects the user to the same page and there by, causing them to redo whatever the did before.

What i've noticed as well is that, not all browsers support this kinda of scripting, which hides/disables browser buttons, so writing a script of this nature, can be somewhat of a tedious task.

If i find a solution to this, that works much more effectively and efficiently than the above, i'll post it up here.

Ciao

[Brian]

Just don't rely on JavaScript for any form of security or privacy, it will fail you whether by accident or by the bad intentions of someone.

Use JavaScript for efficiency, for easy of use, for error correction prior to form submissions and things like that. That is why I would rather see the burden placed on the server side scripting.

As an example, I was able to show proof of concept by using FF with the NoScript plugin. At a particular site, with the approval and witness of the webmaster (all ethical and legal here) I was able to login to my account, disable JavaScript, then in a form input some JS that could have created a redirect, or really anthing I wanted to do. Then I saved the data, which was supposed to be my profile such as name, interestes and so on, but in essence I was able to do what ever I wanted to.

Now on this server it checked to see if JS was enabled, and indeed at the time it checked I did have it enabeled but at the time I submitted the data it was disabled. Since there was no server side checking, I was able to deomonstrate a weakness in security that could prove to be costly in some way or another.

The server side technology is not important, in fact this site was a JSP (Java) based site. They relied completely on client side security with a stupidly placed check to see if the browser had JS enabled, that was the extent of the security.

This is an example of why I would never trust or rely on Javascript.

[kr33]

Thanks

I will take that it account, all though, the site is purely PHP, the javascript is just for certain client side checks, infact only one check and that is to make sure that, the back button is "diasbled", all other security is done using PHP and is server-side.

I wouldn't rely on javascript or any client-side scripting for security, atleast not on its own.

Thanks for the advice, it's been a major help and has taught me ALOT over that past few weeks.

I just hope to develop web application that would be an example of the web development should be done.

Ciao

[James Blond]

Hello!
I found a PHP solution, that worked for me. But you have to be very carefull where to put this code into your page! If done wrong, maybe no data will be saved or what ever.