to destroy all the session data because the user click "Logout" link but session_id still so users can still have access to all protected pages. What I'm doing wrong?
[eluser]ReyPM[/eluser]
Hmm something is really wrong here. I destroy the session as you suggest but if then in any controller at __construct() or at index() I check if session_id is set it's set maybe I'm wrong but session_id should exists even if I destroy all about session?
[eluser]Aken[/eluser]
A session_id is used to attach a cookie to a user. This happens on EVERY request. Do not use session_id as a check for a logged in user - set your own userdata for that.