This causes cookiewalls to appear on many websites, even ones that only need cookies for managing administrator access and not for tracking regular visitors. This seems to be a feasonable yet cumbersome workaround I found on the web, to wipe the cookie after any session_start(): $_SESSION = array(); if (session_id() !== "") { if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie( session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } session_destroy(); } header_remove("Set-Cookie"); header_remove("X-Powered-By"); Another option seems to be creating a custom session database, which is even more cumbersome.