[eluser]WanWizard[/eluser]
The session expires using the expiration timestamp on the session cookie. If it is expired, the browser will delete it, so you end up in situation 1).
There are several parts that play a role in what you call "the session":
- the session identification information
- the session cookie
- the session payload
The session ID information consists of a unique Session ID, a timestamp, and the IP address and User Agent string of the client. This information is stored in an array, which is serialized, encrypted, and send to the browser as payload of the session cookie.
The session id is used to access the database, to retrieve the session payload (i.e. the userdata). Userdata never leaves the server (unless you use cookie sessions, in which case the user data is also part of the encrypted cookie). Userdata stored on the server is not encrypted, the assumption is made that your database server is secure (which is not always the case with file based sessions, especially not on a shared host).
