How to kill a session after logging out using php

Question

I have seen the following question and tried to adapt part of the answer but to no luck: 'How can i disable the back browser button after user press logout and destroy session?'

I know this topic has been much discussed and people hate the phrase disable the back button. But if i have a database with important information on it, once the person logs out, how do i prevent someone from person the back button and return to the previous page.

One answer if have seen, and below could answer the question is: One approach I have seen for deliberately breaking the back button use is to pass a token on every URL within the application, and within every form. The token is regenerated on every page, and once the user loads a new page any tokens from previous pages are invalidated. When the user loads a page, the page will only show if the correct token (which was given to all links/forms on the previous page) was passed to it. Can any one provide some insight into how to do this?

<?php 
session_start();
session_destroy();
$_SESSION = array();
header("location: login.php");
?>

Where should the header go?

header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");



<?php
session_start(); //starts the session
if($_SESSION['user']){ //checks if user is logged in
}
else{
    header("location:login.php"); // redirects if user is not logged in
}
$username = $_SESSION['user']; //assigns user value
$id_exists = false;
?>

I have a checklogin.php that checks the username and password entered with that stored in MySQL database. They then are redirected to file1.php. on this page there is a logout button. The code above is stored on logout.php.

When a user logs out i do not want them to be access the file again by pressing the back button. Thanks

Answer 1

login page:

<?php 
if (isset($_POST['uname'], $_POST['pwd'], $_POST['type'])) {
    $Username = $_POST['uname'];
    $Password = $_POST['pwd'];
    $User_Type=$_POST['type'];
    if (!(empty($Username) || empty($Password) || empty($User_Type))) 
    {
         $model = new UsersModel();
         $rowsCount = $model->checkUser($Username,$Password,$User_Type);
         if ($rowsCount!=0)
         {
              $_SESSION['user'] = $Username;
              header("Location:LoginViewController.php");

         } else {
              echo 'Bad user';
         }
    } else {
         echo 'Please, fill all inputs';
    }
} else {
    echo 'Bad form sent';
}
?>
 <form name="f1" method="POST" action="" >
// inputs
 </form>

LoginViewController.php :

<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");

if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit();
}
echo 'You have successfully logged as '.$_SESSION['user']
?>

And add the headers to force the browser to revalidate the pages :

logout.php :

<?php 
session_start();
session_destroy();
$_SESSION = array();
header("location: login.php");
?>

Answer 2

As for headers, here are the ones from a web server I regularly use after a search:

Cache-Control: private, pre-check=0, post-check=0, max-age=0
Expires: 0
Pragma: no-cache

Pressing the back button after clicking a link from the results page displays an error message in Firefox. The only notable difference I see is Expire: 0.