Android PHP Communication Login Session

I am implementing login by requesting PHP with retrofit1.9.

Currently, the session ID from the Android RestAdapter is to be intercepted and stored in the preference.

builder.setRequestInterceptor(new RequestInterceptor() {
            @Override
            public void intercept(RequestFacade request) {

                request.addHeader("Authorization", "auth-value");
                request.addHeader("Accept", "application/json");
            }
        });
        clienteOkHttp.interceptors().add(new AddCookiesInterceptor());
        clienteOkHttp.interceptors().add(new ReceivedCookiesInterceptor());

If the current user inputs ID and PWD and it matches, there is no problem with the interceptor.

However, once you request it, PHP sends it to the header even if the ID and PWD are wrong, and Android holds the session ID value in the header, so if you turn off the app, you will be logged in immediately.

(When you run the app, check the preference to see if the cookie is empty and move on to the main page.)

So PHP handled it like this when the ID and PWD did not match.

session_start();
......
....

If (id,pwd match) {
 //Set session variable
}
else if {
 //id,pwd mismatch
  $_SESSION = array();
  session_destroy();
}

I didn't think this would be loaded in the header, but it's a problem because the header contains an ID value.

1. As a result, I want to empty the session ID value in the header when login fails.

2. If the ID and PWD match at login, put the ID value in the session variable and inquire the user information using the session variable. Is it right to send a user ID like this?

3. Should DB manage additional user sessions to implement redundant logins?

4. I didn't feel the need for a session on Android, not on the web, but I thought it would be necessary to have user information on the client's end like an ID and send it to the request whenever necessary. Am I right?