Comment 3 for bug 610178

More info:

Unlike the P cookie, the PHPSESSID cookie isn't cleared when the user logs out of Psiphon. It is cleared when the browser is closed.

We could clear the PHPSESSID cookie like we do the P cookie by resetting it with a pre-expired expiry date. See: http://www.php.net/manual/en/function.session-destroy.php

Open question: is this a security issue? What are our design requirements for leaving no trace of using Psiphon after logged out, after close browser, etc. To properly address this, first we need a design target; then we need to consider all aspects (e.g., what's in the broweser cache). Maybe we shouldn't be re-inventing Private Browsing browser modes.