Hi kiwinz,
kiwinz wrote:I've been playing about with php sessions (with no cookies)
What does "with no cookies" mean? Do you add the SID in the url?
kiwinz wrote:<?php session_start(); echo session_id(); ?>
creates and displays my session key in xampp/tmp and
session_start don't create a session_key if one already exists.
kiwinz wrote:<?php session_destroy(); ?>
deletes the key.
session_destroy() don't delete the key.
The Manual for
session_destroy() says everything needed:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
kiwinz wrote:(2)Also, if - instead of session_destroy() - I just close my browser, the session key in xampp/tmp isn't deleted at all. That doesn't look right to me - shouldn't the key be destroyed whenever the browser is closed, irrespective of whether a session_destroy has been processed or not ...?
How should the server know, that the user has closed his browser? The browser don't send any information about that to the server. Thats for what the garbage collector is for.
Think about how the server can know that your Browser has already sended a request and get a session which can be reused.
kiwinz wrote:I could be wrong here, but It seems like garbage collection probability must be calculated to 1 (= certainty) to successfully purge session keys ...
very bad idea to change anything for the gc if you have no idea what you are doing. gc is already configured with the recommend settings and values.
best wishes,
Altrea