How can I not allow a user to go back after logout in PHP?

Question

I just wrote a PHP login script, and what I'm trying to accomplish is that when the user click to the log out link, after they log out, regardless clicking the back button of the browser, they cannot access the page.

Here is the logout function:

//Start the Session
session_start();
session_destroy();

header("location:login.php");
exit();

I did place the following code on all the pages, and this seems not do the job:

header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");    // Date in the past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header ("Cache-Control: no-cache, must-revalidate");  // HTTP/1.1
header ("Pragma: no-cache");

//Start the Session
session_start();

Any suggestions?

Answer 1

You can't control the workings of the client-side back button on the server. You could destroy the history data using javascript on the client.

The client can completely ignore the no-cache headers.

Answer 2

Check when the user is logged out if the session global is still set with the correct value.

print_r($_SESSION);

The reason for this is that you are doing a session_destroy and then a header redirect, what happens is that you force a redirect and the destroying of the session isnt written to the server that way.