Check when the user is logged out if the session global is still set with the correct value.

如果会话全局仍然设置为正确的值，请检查用户何时注销。

print_r($_SESSION);

The reason for this is that you are doing a session_destroy and then a header redirect, what happens is that you force a redirect and the destroying of the session isnt written to the server that way.

这样做的原因是您正在执行 session_destroy 然后进行标头重定向，发生的情况是您强制重定向并且会话的销毁不会以这种方式写入服务器。

You can't control the workings of the client-side back button on the server. You could destroy the history data using javascript on the client.

您无法控制服务器上客户端后退按钮的工作方式。您可以在客户端使用 javascript 销毁历史数据。

The client can completely ignore the no-cache headers.

客户端可以完全忽略 no-cache 标头。

Just redirect if there's no login $_SESSION, for example:

如果没有登录 $_SESSION，只需重定向，例如：

//on your protected pages
session_start();
if(!$_SESSION['logged']) {
    header("location:login.php");
}

This is what my logout does:

这是我的注销所做的：

session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();

I think you need to store something in the session and then check it on each page load. Here's how I've done it in the past

我认为你需要在会​​话中存储一些东西，然后在每个页面加载时检查它。这是我过去的做法

Login Script (simplified)

登录脚本（简化）

session_start()
// register necessary session variables
$_SESSION['username'] = $username;

Logout Script:

注销脚本：

session_start();

// destroy the session and check to make sure it has been destroyed
session_destroy();
    if(!session_is_registered('username')){
        $loginMessage = 'You have been logged out.';
        include 'index.php';
        exit();
    }

// if we're still here, some bad juju happened

Top of Every Page

每页顶部

session_start()

// make sure user is logged in
if (!$_SESSION['username']) {
    $loginError = "You are not logged in.";
    include("index.php");
    exit();
}

$_SESSION['blah'] = '';

This works too..

这也有效..

<?
session_start();
if (!isset($_SESSION['username']) && !isset($_SESSION['password'])) {
    header('Location:../index.php');
    exit;
} else {
    session_destroy();
}
?>

this really helps me .. paste this on every page or in the page where your logout is

这真的对我有帮助..将其粘贴到每个页面或您注销的页面中

<?php
session_start();
session_unset();
session_destroy();
header("Location:../index.php");
exit;

and as simple as this in destroying your session

就像破坏你的会话一样简单

I would suggest that you use HTTPS with SSL. You can close the SSL session and kick the user back out to a non-encrypted page.

我建议您使用带有 SSL 的 HTTPS。您可以关闭 SSL 会话并将用户踢回未加密的页面。

Most browsers implement caching schemes differently.

大多数浏览器以不同的方式实现缓存方案。

For example, in Opera you can click Back and it will pull the page data directly from memory without sending any data to the server, even in the page has expired. If you hit Refresh, of course, your server would require the login.

例如，在 Opera 中，您可以单击“返回”，它会直接从内存中提取页面数据，而不会向服务器发送任何数据，即使页面已过期。当然，如果您点击刷新，您的服务器将需要登录。

In Internet Explorer, it's handled very differently and form data is resubmitted to the server.

在 Internet Explorer 中，它的处理方式非常不同，表单数据被重新提交到服务器。

It might be your session_destroy()functions. Try this:

它可能是您的session_destroy()函数。尝试这个：

unset($_SESSION);

Un-setting the $_SESSIONvariable will clear out anything stored here.

取消设置$_SESSION变量将清除这里存储的任何内容。

Check out unset() on PHP.net

在 PHP.net 上查看unset()