Session destroy not working....

redirect your page to somewhere so that when back button is clicked he cannot go back to the auth.php.
change this:

echo " logged. Out.";

to:

header('Location:index.php');

What's in your admin.php page ? Are you checking if the session is valid or it has expired ? The best way to completely destroy the session is to redirect the page after you destroy the session. When the user clicks on the logout link, I do it this way.

<a href="index.php?logout=true">Logout</a>
.....
//in index.php
session_start();
....
if(isset($_REQUEST['logout']) && $_REQUEST['logout']=='true')){
 session_destroy();
}

Edit: Or you can do as ryan_vietnow has mentioned.. :) Its much easier way.

* echo part in both codes was temporarily changed to save page.

the actual echo was;

<?php
//echo "You have been successfully logged out.
echo "
<html>
<head>
	<title>Cycle Tracks Portal</title>
	<style type='text/css' media='all'>@import 'images/style.css';
	</style>
	<link rel='alternate' type='application/rss+xml' title='RSS 2.0' href='rss/' />
</head>
<body>
	<div class='content'>
		<div class='topmenu'>
			<div class='date_'>";
				 echo date('l dS \of F Y');
		echo "</div>
		</div>
		<div id='submenu'>
			<form action='#'>
			</form>
			<br>
		</div>	
		<div class='cycle1'>
			<div class='title' style='text-align: center; width: 179px'>
			</div>
		<div class='slogan' style='width: 223px; height: 11px'></div>
	</div>";
	echo "<div><br>
			<p style='font-family:Calibri; color:#0066FF; font-size: large; text-align:center'>You have been <span style='color:green'>Successfully</span> logged out.</p>
		</div>";
	echo "
		<marquee style=' width: 100%; height: 10%; behavior: scroll' direction='up' scrollamount='7'><p style='font-family:Calibri; color:#0066FF; font-size: large; text-align:center'>You will be now returned to the Main page.</p></marquee>
		<div class='footer'>
			<div class='padding'>
			&copy; Copyright Cycle Tracks 
			<span>®</span>
		</div>
	</div>
</div>
</body>
</html>
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=index.html\"> ";
?>

*ignore the <?php and ?>

just make this actual echo a separate page(e.g. redirect.php) then change the header location as I mentioned earlier as redirect.php

auth.php

<?php

// start session
session_start(); 
// convert username and password from _POST or _SESSION
if($_POST){
  $_SESSION['username']=$_POST['username'];
  $_SESSION['password']=$_POST['password'];  
}

// query for a user/pass match
$result = mysql_query("SELECT * FROM users WHERE username='" . $_SESSION['username'] . "' and password='" . $_SESSION['password'] . "'");

// retrieve number of rows resulted
$user = mysql_num_rows($result);

// print login form and exit if failed.
if($user < 1){
echo " Please login";
?>

in your auth,php script, once the user is verified try setting a session variable like
$_SESSION=1;
Initially keep the session variable as 0
$_SESSION=0;

logout.php

<?php
// logout.php

// you must start session before destroying it
session_start();
session_unset();
session_destroy();
//}


//echo "You have been successfully logged out.
echo " logged. Out.";
?>

The codes above working fine, after I log out, if I paste the direct link to the admin.php, it won't go. But the problem is, when I log out, if I press the back button on the browser (firefox), it will back to admin.php.*

Please help.

* echo part in both codes was temporarily changed to save page.

now in the logout.php when the user logs out make the session variable as 0
$_SESSION=0;
In all other pages check whether your $_SESSION is set or not . if not set direct the user to any warning page

<?php ob_start(); session_start(); if($_SESSION['views']==0) header("Location:error.php"); ob_flush(); ?>[code=php]
<?php
ob_start();
session_start();
if($_SESSION==0)
header("Location:error.php");
ob_flush();
?>

there are something wrong with ur admin.php script.. can you show me it's script

First of all, session_destroy() deletes everything you have stored on your session. if you only want to logout some user, simply use unset($_SESSION) and after that redirect to the login page (or your index page). For this you can also use javascript to force redirect.

Very simple solution is to add one filter function at every php page and check the any session variable declared at the session_start(); and if it there than allow the access otherwise redirect it to login page. hope this helps you...

I feel the main concern is the back button because all it does is show a previous page that's in the browser cache; even if you redirect to another page you can still hit the back button back to the admin page. Is there anyway to simply stop the back button? Or would simply adding header("Pragma: no-cache"); work?

If you used something like session_name("mysession") you'll need to put that before your session_start();