hi Philipp, i found that the session handling is wired, let
me expose:

problem:
- my session id is the same after more than 20 hours
- the id doesn't change over login/logout

impact:
- session fixation is perfect here
- there is actually NO way to destroy the current session id

solve:
- session_regenerate_id() every X requests (or at every request)
- session_regenerate_id() on login
- session_destroy() on logout *

i'm continuing my audit work and trying to be more accurate
as possible to eradicate mostly bugs

regards,
Francesco 'ascii' Ongaro
http://www.ush.it

* consider the attached code