After unsetting and destroying the session, the same sid is generated.
No session identifier is generated at this point. This generation only happens when there is no identifier presented by the client, or when you explicitly regenerate it using something like session_regenerate_id().
is this a normal behaviour?
Yes.
Are you sure you need a new session identifier?
i did this:
session_start()
//kill session variables unset($_SESSION); session_destroy();
I'd have to do some tests to find out, but you might want to set $_SESSION to attay() rather than just unset it, but these might have essentially the same behavior (e.g., memory is freed but not overwritten).
Hope that helps.
Chris
-- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php