Not sure I understand what the browser's back button (or form re-submission) has to do with session expiry.  Anyway... don't expect the browser to handle your session. Any checks that matter to the integrity of your program logic should be done server-side. That includes handling session data. In short, you can't effectively control a browser (or any other HTTP client) to not resend form data... so if it matters, you'll have to check for that case server-side (for example by assigning a one-time unique ID to every form sent to the browser and then keeping track of which IDs/forms have already been submitted...  or some such).

That said, in case your problem rather is that the session data isn't being deleted server-side, you might just need to call flush after having called the delete method — in case you're using CGI::Session, that is. The module is known to often need explicit flushing.   Some more details (e.g. if this is normal CGI or some persistent environment, etc.) and some sample code would help to give us a better idea of what your exact problem is.

I will try flushing after sessin destroy.By that time following is my code. 1. From php files I am receiving parameter to my perl file through GET. 2. In Perl File – It is multiple form almost 4 four pages On every page submit session_start functions check for whether session exists or not .If, yes then it reinitialize else create new. So, on page 1 it creates new session id and till I submit my page session Id is saved as hidden field in form and it propagate from one page to last page and I keep on initialing it. It a huge code I cann’t paste here these are the lines in my code to start and destroy the session.

my $q=new CGI;
my %KVP=$q->Vars;

$id=KVP{'sessionid'}) //post hidden variable 

$session=&session_start($q,$id);
$sessionid=$session->id;
.
.
.

if($session)
{
    session_destroy($session);

    //This doesn’t empty the cgisess_ var in /tmp
}

sub session_start()
{
  my($cgi,$session_id)=@_;

  if($session_id eq '')
  {
    #create new session
    $session = new CGI::Session(undef, $cgi, {Directory=>'/tmp/'});
  }
  else
  {
      #reinitialse with session with session id
    $session= new CGI::Session(undef, $session_id, {Directory=>'/tmp'}
+)
  }
  return $session;
}


sub session_destroy()
{
    my($session)=@_;
    $session->delete();
}
[download]

This is what i understand from myself and tried to implement it on my project. If you find something is not good practice or this thing can be done in more efficient way . Kindly advice me on it also. Thanks .

But why the behavior is different ??? I have problem in session delete i suppose.If session is destroyed then how come all the fields are there in cgises_ in /tmp folder .... to delete session i am using : $session->delete(); method....do we have destroy which completely destroy session in perl... i feel i am messing something.If in php you write session_destroy() the $_SESSION is empty .....but in perl how it works !!! how to check the old session is lost ?

The problem is probably with browser caching and POST v GET handling on form submissions. You generally want to redirect POSTs to GETs after you handle them. Without some sample code I'm just guessing, though. There is more than one Perl session package. A thorough understanding of HTTP plus browser quirks in regards to caching and HTTP method handling is necessary to debug this stuff.

The PHP session is not a terrific example of how it should work. The session data proper is emptied but the session, its cookie, and the globals it might have set-up are alive and well and can lead to all kinds of problems if you don't sanitize/check it (and take care of your own persistence layer if you actually have one) and clear the cookie. Very annoying default behavior. From the docs-

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.