here is a small update to the session destroy code that should correct the issue.
it needs to go on each of the respective checkout success pages after the closing HTML tags.
to make sure that the change is being uploaded to the server, make a visual change to the page in addition to adding the code, this way, you can see at a glance whether the change is making it to the server.
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
@session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
@setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
@session_destroy();
session_regenerate_id();
@session_start();
?>