So the rule that you have applied is defined as allow access if the session variable userID does not have a value. At the top of this page you are checking the session variable user id to see if it is set, if it is not you are setting it to an empty string. This means that you will always pass the users logged in rule that is on this page. This is because you are setting the userID session variable to "" (empty) and your rule says to allow access if this variable is blank.
You will need to update your users logged in rule to check if it is not equal to "" instead of being equal.