Why does session ID persist across sessions in PHP?

Consider the following code:

<?php
    if (!session_id())
        session_start();
    echo session_id();
    session_dest开发者_JS百科roy();
?>

How come everytime I refresh this page it shows the same session id, even though the session gets destroyed and recreated each time? Isn't the session id cleared upon session destruction?

EDIT:

I've used this updated code, based on the favorite answer- however, the session id STILL perists! Any ideas?

if (!session_id())
        session_start();
echo session_id();

// Unset all of the session variables.
$_SESSION = array();


// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();

---

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

http://php.net/manual/en/function.session-destroy.php

The manual comes with a code-example:

Example #1 Destroying a session with $_SESSION

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>

** Update **

PHP Version 5.3.6-13 Linux lime 3.0.0-1-686-pae #1 SMP Wed Aug 17 04:28:34 UTC 2011 i686

Apache/2.2.19 (Debian)

Session Settings (phpinfo)

Directive           Local Value         Master Value
session.auto_start          Off         Off
session.bug_compat_42           Off         Off
session.bug_compat_warn         Off         Off
session.cache_expire            180         180
session.cache_limiter           nocache         nocache
session.cookie_domain           no value            no value
session.cookie_httponly         Off         Off
session.cookie_lifetime         0           0
session.cookie_path         /           /
session.cookie_secure           Off         Off
session.entropy_file            no value            no value
session.entropy_length          0           0
session.gc_divisor          1000            1000
session.gc_maxlifetime          1440            1440
session.gc_probability          0           0
session.hash_bits_per_character         5           5
session.hash_function           0           0
session.name            PHPSESSID           PHPSESSID
session.referer_check           no value            no value
session.save_handler            files           files
session.save_path           /var/lib/php5           /var/lib/php5
session.serialize_handler           php         php
session.use_cookies         On          On
session.use_only_cookies            On          On
session.use_trans_sid           0           0

Update

So. Following settings results in the same problem. if, and only if i'm sening the session id as a request parameter locahost?PHPSESSID=whatever

ini_set('session.auto_start', 'on');
ini_set('session.use_trans_sid', 'on');
ini_set('session.use_cookies', 'off');
ini_set('session.use_only_cookies', 'off');

if(!session_id())
  session_start();

echo session_id();
// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();

IMPORTANT: this settings are valuable to Session Hijacking [Session fixation]

---

It do not destroy your sessionID

so you'd use just

<?php
    session_start();
    echo session_id();
    session_destroy();

?>