I've added details in the PM of what the pen test report says in relation to session management. The PHPSESSID doesn't change when I logout - have attached two screenshots of what Chrome lists when logged in, and when logged out - both are identical I think.