On the checkout success page that the user goes to after a transaction we added some code to destroy the session, unset it, then regenerate the session id.
Finally on the confirm page we did an extra session regenerate id, here is the code we used:
Destroy the current session:
Unset the session:
Regenerate the session:
Before using any of these you should check if the session has been started, and if not start it like this: