You can't have every session destroyed and client logged out of site everytime you checkout of the cart
I'm on your side with this! Using the session ID for the unique identifier is not a good idea, but seems to be what they do.
What I did was create a unique code - as soon as the checkout was initiated. I do an MD5 hash of the SESSON ID and the current TIMESTAMP. No two users will ever get the same code, and even the same user cannot generate the same code - since the timestamp will be different the next time they come back to the checkout page.
I followed the eCart naming convention for storing sessions (started with "eCart") so on the success page - when it's time to clear everything relating to the cart it's gone with a dynamic little strip of code (provided a few posts back) yet retains the session login and everything NOT related to the cart.
HOWEVER - that was a lot of work for something that should just be done automatically.