Most systems I have worked with test for a valid session with every call to a member's only section of a website. This includes RESTful scripts that should only be accessed by logged in users.

If the session doesn't pass your validity test, redirect them to a login page.
Basically, they can hide the session id and in doing so, they are logging themselves out of your system.

For example:

if(!isset($_SESSION['user'])) {
   header('HTTP/1.1 401 Unauthorized');
   header('Location: http://www.mysite.com/login.php');
}

Put a script like the above any place a user can enter your site that requires authorization. This is often a 'front controller' -- a single script that serves up other pages/articles on your site; if not then each script needs to be secured by including this code with a require_once().

madCoder is correct, however be careful using require_once or require as if it dies and results in error, the user can then use directory traversal to hack your site.

offline browsing is only the user going through their (temp) folder.
So it will always be what they saw last time they were on the site.