You're calling session_destroy() twice.

If your cookie isn't set, then it won't equal $_SESSION['email'] will it?

Change your code to:

public function forbidden(){
    if(!isset($_SESSION)){ session_start(); }

    if(!isset($_SESSION['email']) || !isset($_SESSION['id'])){
        $this->error_404();
    }else{

        if(!isset($_COOKIE['data'])){
            session_destroy();
            $this->error_404();
        } elseif($_COOKIE['data'] != sha1($_SESSION['email'])){
            session_destroy();
            unset($_COOKIE["data"]);
            setcookie("data", false, time() - 3600, '/');
            $this->error_404();
        }
    }
}

The problem is that you call session destroy twice. If $_COOKIE['data'] is not set, then $_COOKIE['data'] != sha1($_SESSION['email']) will return false as well and it will try to destroy the session again.

    if(!isset($_COOKIE['data'])){
        session_destroy();
        $this->error_404();
    }

    if($_COOKIE['data'] != sha1($_SESSION['email'])){
        session_destroy();
        unset($_COOKIE["data"]);
        setcookie("data", false, time() - 3600, '/');
        $this->error_404();
    }

Make the checks on in another

     if($_COOKIE['data'] != sha1($_SESSION['email'])){
        if(!isset($_COOKIE['data'])){
        session_destroy();
        $this->error_404();
        }
        else
        {
        unset($_COOKIE["data"]);
        setcookie("data", false, time() - 3600, '/');
        session_destroy();
        $this->error_404();
        }
    }

If the cookie data is not valid, it may be because there is no cookie. This way, if it's not valid, it checks if it exists. If it does exist and it's not valid, it does something. If it doesn't, it does something else.

Read This Answers of this question on stackoverflow
why session destroy not working
put this code in first and End of Your php File

<?php
ob_start();
?>
Your Code Here...
<?php
ob_flush();
?>

Your calling session_destroy() twice.
Or Removed All Sessions on server...