How to logout properly (PHP)

When I press the login button, it deletes the cookie redirects to the main page. It works perfectly.

But when I press the "back" button (or backspace key), the logged in page still shows up. I want to prevent this for users' privacy reasons.

How would you do it?

See this SO question/answer:

(PHP) How to destroy the session cookie correctly?

And also this question on cache control:

How to use HTTP cache headers with PHP

Basically, what you need to ensure you are doing is destroying the PHP session appropriately, and send proper caching instructions to the browser (essentially, not to cache).

Note the answer to the question I linked to states that, if you destroy the session on the server, the cookie itself is useless. Don't rely on the cookie being removed to end a session.

Of course it will. Refresh the page, you will find that the cookie has not been reset.

Are you sure you are properly unsetting the PHP session variables?

This is possibly down to the browser, not your code. You could try and stop the browser caching the page using -

<meta http-equiv="pragma" content="no-cache" />

This seems like a caching issue. Configure your application to send anti-caching headers to the browser to prevent your pages from being cached in browser memory.

header("Cache-Control: no-cache"); 
header("Pragma: no-cache"); 
header("Expires: 0");

Of course, if a user did click backspace after being logged out, they couldn't actually do anything, just view the page as if they were logged in. All requests etc will fail.

Alternatively, you could make your logout.php redirect to a "See you soon" or similar page, where pressing back would keep them logged out.

EDIT: ALSO, if another user came to the browser and reopened the page, it wouldn't show the user from before.

You can use Expires header (php uses it with session). If you send something linke expires in 1970 browsers will not cache the page, instead they will reload it when someone uses the history function.

From PHP manual:

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past

But let me add: nothing gives a 100% protection. If the user wants a secure session, all browsers support some safe mode, where after closing the window all history and cache information of that session is deleted.