how to destroy a session and immediately create a new one?

[eluser]Narkboy[/eluser]
That'll teach me to post mid-way through a problem.

So - it is a caching issue. You do need the refresh. Use a redirect within the logout controller to achieve this. It's invisible to the user, and gets you want you want. My login form checks for a username in the session userdata, and explicitly calling unset_userdata('user_name') clears that. The rest of the userdata remains in the cache. That's no issue for me - as soon as the user goes to the next page, it's gone anyway.

You need to do the refresh so that you can start the session again and add in the data. I would suggest that you store the user name in a temp table in a db to keep it accross the refresh. Otherwise, you'll need to do the refresh and re-send the post data manually.