If I login with username "John" and then logout, and connect with username "Bob" it shows "John's" statistics.

That's a session fixation issue. Clearly session_destroy() in logout.php is not working. While you should always change the session id whenever there is a change to authentication (login and logout) that's not going to fix the problem here. Presumably logout.php is emitting the "headers already sent" error. (see below).

Cannot send session cache limiter

DO NOT TRY TO MAKE YOUR SESSION PAGES CACHEABLE

This is really difficult to get right and should not be attempted until you are an expert with PHP programming (and even then it is very dubious).

This is not caused by the META headers you've shown us. It's in your PHP config.

<meta HTTP-EQUIV="Pragma" CONTENT="no-cache">

This is nonsense. Remove it.

<meta HTTP-EQUIV="Expires" CONTENT="-1">

This is ambiguous. Remove it.

Cannot modify header information - headers already sent

Go and read those docs again. Looking at the error, in your case it's most likely a BOM on the file, but the way you write your code invites failures - don't use a closing tag unless you really need to. Use a better editor or find out how to configure the one you are using to save files as ascii or utf8 without a BOM.

sha1($password)

This is insecure - you're not using a salt.