Confused about sessions

On the index page, the main page, I have a login. It works fine. Only the correct pw and un get you to the sites admin page.
On the admin page, I have a logout link. When I click the logout link, this script runs:

unset($_SESSION['myusername']);
unset($_SESSION['mypassword']);
// invalidate the session cookie
if (isset($_COOKIE[session_name()])) 
{
setcookie(session_name(), '', time()-86400, '/');
}
// end session
session_destroy();
header('location:../index.php');

Basically, it destroys the session and relocates the user to the main page.

Here’s what I am confused about.

If I logout from the admin page I will be transferred to the index page. Let’s say that I now type the complete url to the admin page in the adress bar and press Enter. The browser cannot move to the admin page. It will remain on the index page because I destroyed the session. That’s good.

But, if I click the browser back button, the browser will show the admin page, although the session is supposed to be destroyed. I cannot only back back to the admin page, the links on the admin page works just fine. Is this the way it is supposed to work? I thought that if I destroy the session, the admin page should be unavailable until I give the correct pw and un.

HI have you checked for the session existence?
on every page after login you should check for session existence and redirect to the index or login page if the session is not available.
Suppose you have set the session as:
$_SESSION[‘loggedin’]=TRUE;

so now you should check for session in every page


session_start();
if(!isset($_SESSION['loggedin'])){
redirect to the login page.
}

this should work.

Do you check for the valid session on admin home page? It seems you set the session variable but do not check for the valid session on admin page.