I have googled this pretty much since I am new to this kind of security thing, but I still have some doubts.
$_SESSION["logged"] = 1;
I have NOTHING stored in the client,
Perhaps you are unfamiliar with how sessions work. There will be a cookie on the client machine. You can improve your security of this cookie by using a better-than-default session name/key generator such as whirlpool.
Your security will be paramount to use a TLS layer such as Lets Encrypt which is a free community supported TLS layer and fairly secure (actually it appears to be very secure but I can't beleive that something free is so good so I persist in withholding a litle bit of judgement!)
You also NEED TO TELL PHP YOU ARE USING TLS This is very important and you need to edit the
php.ini file to tell PHP to use only HTTP and Encrypted cookies for sessions, such as with
Judging by your question you really, really bette be using Prepared Statements and fully qualifying your database interactions to avoid SQL Injection and database compromise.
Session_destroy is relatively worthless, stop caring about it. What you want to be using is regularly running
session_regenerate_id typically every few page loads (say 5).
Some further reading: PHP Sessions and Security.
As I have already said, I haven't much experience in this stuff
Then you're going to miss things, make mistakes and the chances that your clients website is at risk from abuse or compromise is grealy increased.