[snip] > > > > If you are right, then this is a severe design bug. > > Depends on your point of view. It is a sideeffect of loading current > session (and thus accessing it) before the session gc is called. > > So the question is, should the session module give up on current session > just because it should have been garbaged, even if the session file > still exists? Apologies if I'm way off here, but I'm relatively new to PHP. Surely it should be down to settings in php.ini, not a point of view or the probability of the garbage collection possibly having run when a new session is started. Why can there not be a session_timeout value that is adhered to? Would it not also save everyone from writing their own code to determine whether or not they should be using the session that PHP is making available? If my site is accessed by few users and I have a session 'timeout' of 30minutes specified, if Bob leaves his PC at 10:00 I would expect that if he returned at 10:40, and no-one else had accessed the system, his session would have expired and he would need to re-authenticate to create a new session. Short of writing custom session handlers, the current arrangement seems somewhat haphazard to me. Those are my current thoughts anyway. Graham -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php