(06-23-2017, 05:32 AM)CINewb Wrote: So the CI session does not have an expiry time, like a regular PHP session would via session.gc_maxlifetime ?
It does, but how and when GC is triggered depends on server configuration.
(06-23-2017, 05:42 AM)Martin7483 Wrote: The CI session does or doesn't have en expire time. It depends on the value you supply
PHP Code:
`
// It will expire after 2 hours of inactivity
$config['sess_expiration'] = 7200;
// It will expire when you close the browser
$config['sess_expiration'] = 0;
sess_expiration plays a role, of course, but it's not as simple as that.
---
Again, this thread is about some auditor saying that cookies with expiry time are a vulnerability (false) ... If you want to argue about how expiry times work, please open a new thread.