You need to use session_write_close() before header()

It still doesn't work...

<?php 
unset($_SESSION["authenticationValid"]); 
unset($_SESSION["authenticationUser"]); 
session_write_close();
header("Location: login.php"); 
?>

Are you sure this isn't due to cache? If you view the restricted pages, can you do a refresh and it still works?

I already tried that, yes. It still keeps my session.

I'm going to try

$_SESSION["authenticationValid"] = FALSE;
$_SESSION["authenticationUser"] = "";

instead to see if that works.

EDIT: Didn't work. Here are all my pages and their respective content.

index.php

<?php 
 session_start(); 
 if(!isset($_SESSION["authenticationValid"]) || $_SESSION["authenticationValid"] !== TRUE) 
 {  

  header("Location: login.php"); 
  exit;  

 } 
?>  

<HTML>
 <HEAD>
  <TITLE>Welcome to our secured home page!</TITLE>
  <LINK REL="stylesheet" TYPE="text/css" HREF="style.css">
 </HEAD>

 <BODY>
  <P>Welcome, <STRONG><?php echo $_SESSION["authenticationUser"]; ?></STRONG>!</P>
  <P><A HREF="logout.php">Logout</A></P>
 </BODY>
</HTML>

login.php

<?php 
 session_start(); 
 $mysqlHost = "localhost"; 
 $mysqlUserName = "newacct"; 
 $mysqlPassWord = "***********"; 
 $mysqlDatabase = "newacct_1"; 

 $mysqlConnect = mysql_connect($mysqlHost, $mysqlUserName, $mysqlPassWord); 
 $mysqlSelect = mysql_select_db($mysqlDatabase);  

 if(isset($_POST["submit"])) 
 {  

  if($_POST["userName"] != "" && $_POST["passWord"] != "") 
  {  

   $mysqlQuery[1] = mysql_query("SELECT 'userName' FROM authentication_system WHERE userName = '".$_POST["userName"]."' AND passWord = PASSWORD('".$_POST["passWord"]."');");  

   if(mysql_num_rows($mysqlQuery[1]) == 1) 
   { 
    $_SESSION["authenticationValid"] = TRUE; 
    $_SESSION["authenticationUser"] = $_POST["userName"];
    header("Location: index.php"); 
   }  

   else 
   { 
    $displayMessage = "The username/password combination you entered was incorrect."; 
   }  

  } 
  else 
  { 
   $displayMessage = "Please enter a value in both login fields!"; 
  }
 } 
?>  

<HTML>
 <HEAD>
  <TITLE>PHP/MySQL Authentication System</TITLE>
  <LINK REL="stylesheet" TYPE="text/css" HREF="style.css">
 </HEAD>

 <BODY>
  <P><?php echo $displayMessage; ?></P>
  <FORM ACTION="" METHOD="POST">
   <TABLE>
    <TR>
     <TD ALIGN="center">Username</TD>
     <TD ALIGN="center"><INPUT TYPE="text" NAME="userName" VALUE="<?php echo $_POST["userName"]; ?>"></TD>
    </TR>
    <TR>
     <TD ALIGN="center">Password</TD>
     <TD ALIGN="center"><INPUT TYPE="password" NAME="passWord"></TD>
    </TR>
    <TR>
     <TD COLSPAN="2" ALIGN="center"><INPUT TYPE="submit" NAME="submit" VALUE="Login"></TD>
    </TR>
   </TABLE>
  </FORM>
  <P>&copy; Copyright 2008 lupus6x9.</P>
 </BODY>
</HTML>

logout.php

<?php 
 $_SESSION["authenticationValid"] = FALSE; 
 $_SESSION["authenticationUser"] = "";
?> 
Thanks for logging out! <A HREF="index.php">Go to the home page now.</A>

you will need to put session_start() at the beginning of your logout.php.

<?php 
session_start(); //<-- This is a must before calling session_destroy()
 $_SESSION["authenticationValid"] = FALSE; 
 $_SESSION["authenticationUser"] = "";
?> 

Thanks for logging out! <A HREF="index.php">Go to the home page now.</A

Nice catch, bwan! Didn't even think to double check that.

As bwan points out, you can't alter session data if you never start the session and first load the data.

My brain is fried

HalfaBee wrote:

If $_SESSION["authenticationValid"] is set to FALSE, it is set, so it is TRUE.

Erm, no, heh... FALSE is not TRUE. In fact, lupus even made it clear that he was comparing two values of the same type (booleans, in this case) by using "!==" instead of just "!=".

Either way, FALSE != TRUE && FALSE !== TRUE.

As I said, my brain is fried.

I was posting about the isset() and didn't see the ! without my glasses

Wow! I totally forgot session_start(). I didn't know it applied to unsetting sessions, but I suppose that would make a lot of sense.

I will try it now, and resolve this thread if it works.