Session ID duplicating

For some reason when I log in with my CMS for the first time and then log out then log back in again it DOES not make a new session_id. It wants to use the same session_id from before I logged out. Any thoughts as to why that would be?

This is my logout page:

<?php

// Access the开发者_开发问答 existing session
session_start(); 

// Delete the session variable
unset($_SESSION);

// Destroy the session data:
session_destroy();

// Redirects to the login page
header ('Location: login.php');

?>

If you first load the page you don't have any cookie containing the sessionid, so the server creates a new one and sends it to you. If you log out the cookie remains, so when you log back in the server gets the sessionid from the cookie and doesn't create a new one. So you keep your sessionid. This is not very safe. What the CMS or you should do is call session_regenerate_id() right after the username and password are checked. This way you also prevent session fixation

You are probably unsetting some session variables (those that let you know if the user is logged in, and what their user id is), but you are forgetting to call session_destroy() as part of the logout process.

Update: It seems you are destroying the session state correctly, but you are not resetting the session cookie. The linked page above explains what you need to do and provides example code.