Are you still logged in (or other session data intact) after you have executed the stop() function?
You always get a new empty session when you have session set to autoload, but it should be empty. If it's not empty, it's a security risk.
"You may also use the stop() method to completely kill the session by removing the old session_id, destroying all data, and
destroying the cookie that contained the session id". This part of the user guide says it's destroyed, but due to the nature of your application you have session on autoload, so they get a new one instantly.