I don't want the user to go back to secured pages by clicking back button after logging out. In my logout code, I am unsetting the sessions and redirecting to login page.But, I think the browser is caching the page so it becomes visible despite the session being destroyed from logout.
I am able to avoid this by not allowing the browser to cache
header("Cache-Control", "no-cache, no-store, must-revalidate")
At the top of each page, check to see if the user is logged in. If not, they should be redirected to a login page:
<?php if(!isset($_SESSION['logged_in'])) : header("Location: login.php"); ?>
As you mentioned, on logout, simply unset the logged_in session variable, and destroy the session:
<?php unset($_SESSION['logged_in']); session_destroy(); ?>
If the user clicks back now, no logged_in session variable will be available, and the page will not load.