Your browser keeps a copy of the page in cache. When you click the back button, you are seeing the local cached copy, not the current page from the server. If your security is set up properly, you will not be able to do anything meaningful from that cached page.

It is for this reason that secure websites (bank sites, for example) tell you to log off and clear your cache (or close the browser) after you log out.

All the other solutions didn't seem to work for me. However, this workaround did the trick. Basically, the code below keeps calling the logout until the logout finally succeeds:

if (isset($_GET["logout"])){
    if (isset($_SESSION["username"])) {
        unset($_SESSION["username"]);
        session_destroy();
        header("Location:/?logout=true");
        exit;
    }
    header("Location:/");
    exit;
}

If you're using session cookies, also try expiring the session cookie explicitly, like this:

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

Also, going back in the browser only loads a cached copy of the page. If you tried interacting with the cached page to fetch a new page from the server, you shouldn't be able to proceed.

http://nl2.php.net/manual/en/function.session-destroy.php

Take a look at example 1 here. It clearly states that you have to clear $_SESSION as well.

if(isset($_GET['logout'])) {
    unset($_SESSION['u_name']); //makes it non-existent (it does unset) that variable
    session_destroy();
    header("Location:emprego.php");
}

I recently found header_remove(); http://php.net/manual/en/function.header-remove.php

    Caution: This function will remove all headers set by PHP, including cookies, session and the X-Powered-By headers.

Not sure whether this is the appropriate way to do it, but it's pretty effective for log out functionality.